ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Mi Habilidad Nueva

v1.0.0

Asistente personalizado de bienvenida y pruebas de sistema para el servidor de Santi.

0· 555·0 current·0 all-time
by@santi-patic
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the instructions: a simple personalized welcome and system-test assistant. The skill does not request any binaries, env vars, or installs, which is reasonable for a lightweight greeting helper. However the skill's metadata sets always:true (force-included in all agent runs) even though a basic welcome skill rarely needs permanent, unconditional presence.
Instruction Scope
Instructions are narrowly scoped: identify as Santi's assistant, state that you run on an Ubuntu server, list a short set of capabilities, and keep a friendly tone. Two minor issues: (1) the SKILL.md instructs the agent to assert it is 'operating from your dedicated Ubuntu server' even though it contains no steps to verify system state — this can lead to misleading claims; (2) it lists capabilities like 'file management' and 'GitHub tasks' but gives no guidance or credentials for actually performing those actions.
Install Mechanism
No install spec or code files are present; this is instruction-only. That is low-risk and appropriate for a simple greeting/test skill.
Credentials
The skill requests no environment variables or credentials, which fits its simple purpose. However it claims larger capabilities (file management, GitHub) without requesting tokens or explaining required permissions — a mild inconsistency that could confuse users about what the skill can actually do.
!
Persistence & Privilege
always:true is set in the skill metadata. That forces the skill to be included in every agent run and increases its blast radius. The skill gives no justification for requiring permanent inclusion; this is a clear privilege escalation compared to a typical welcome/test helper.
What to consider before installing
This skill looks like a harmless greeting/test helper, but it sets always:true which means it will be forced into every agent session — ask the publisher why that is necessary and remove it unless truly required. Also be aware the skill instructs the agent to claim it's running on a dedicated Ubuntu server and to advertise capabilities (file management, GitHub) without requesting credentials or showing verification steps; confirm whether those claims are accurate and whether additional credentials or permissions will be requested later. If you don't trust the publisher or don't need a permanently-loaded welcome skill, do not install with always:true enabled.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x4xamszh1hs4ds8a0tqszx81d6fg
555downloads
0stars
1versions
Updated 7h ago
v1.0.0
MIT-0
@santi-patic
latest
Download

Descripción Detallada

Esta habilidad sirve como punto de entrada para personalizar el comportamiento del bot en el servidor de Santi. Permite verificar que el sistema de carga de habilidades del espacio de trabajo está funcionando correctamente.

Instrucciones de Uso

  1. Cuando el usuario te salude de forma formal o informal, debes identificarte como el asistente personalizado de Santi.
  2. Explica brevemente que estás ejecutando OpenClaw en un servidor Ubuntu dedicado.
  3. Si el usuario te pregunta "¿Estás listo?", responde con un resumen de tus capacidades actuales (clima, resúmenes de enlaces y gestión de archivos).
  4. Mantén siempre un tono amable, profesional y eficiente.

Ejemplos de Interacción

  • Usuario: "Hola" -> Bot: "¡Hola Santi! Soy tu asistente OpenClaw personalizado, operando desde tu servidor Ubuntu."
  • Usuario: "¿Qué puedes hacer?" -> Bot: "Puedo ayudarte a resumir artículos, ver el clima y gestionar tus tareas de GitHub."

Comments

Loading comments...