ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LMFiles

v1.0.2

Upload files to lmfiles.com and return public download links via API. Use when a user wants CLI-based file hosting, quick share links, bot-accessible file up...

0· 532·0 current·0 all-time
byS. Rob Beck@setdemos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (file hosting via lmfiles.com) match the actual behavior: scripts and SKILL.md call lmfiles.com endpoints for register/upload/list/delete. However the registry metadata earlier lists no required env vars/primary credential while SKILL.md and scripts clearly require LMFILES_API_KEY (and an optional LMFILES_BOOTSTRAP_TOKEN). That metadata omission is an incoherence.
Instruction Scope
SKILL.md and the helper scripts only perform the documented actions (account register, upload, list, delete, metadata lookup) against https://lmfiles.com and explicitly warn about not uploading secrets. They do not attempt to read unrelated files or environment variables beyond the API/bootstrap tokens.
Install Mechanism
This is instruction-only with a few small bundled Bash scripts. No installer, external downloads, or archive extraction are present; scripts are simple curl wrappers.
!
Credentials
The skill legitimately needs LMFILES_API_KEY for authenticated operations and LMFILES_BOOTSTRAP_TOKEN for initial registration. Those are appropriate for the service, but the registry metadata failed to declare them as required environment variables/primary credential — an inconsistency that could mislead users and automated policy checks.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges and does not modify other skills or system-wide settings. It runs only API calls and uses environment vars for credentials.
Assessment
This skill appears to do exactly what it says: simple curl-based helpers for lmfiles.com. Before installing or using it: 1) Verify the lmfiles.com domain and its API docs (the SKILL.md references those URLs). 2) Expect to provide LMFILES_API_KEY (and optionally LMFILES_BOOTSTRAP_TOKEN) — the registry metadata omitted those, so add them to any environment/secret store you use. 3) Remember uploads become publicly downloadable by anyone with the link — do not upload secrets or private credentials. 4) Rotate the bootstrap token after first use and store the API key securely. 5) If you need stricter privacy, confirm the service's retention/expiration and access controls. If you want, ask the publisher why the registry metadata doesn't list the required env vars so automated tooling can enforce secrets handling.

Like a lobster shell, security has layers — review code before you run it.

apivk9784rjy2qs84y4z585ed46h6d81qrxcfilesvk9784rjy2qs84y4z585ed46h6d81qrxclatestvk9784rjy2qs84y4z585ed46h6d81qrxcopenclawvk9784rjy2qs84y4z585ed46h6d81qrxcverifiedvk9784rjy2qs84y4z585ed46h6d81qrxc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments