ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

uf2.net URL Shortener

v1.0.1

Create, manage, and track custom short URLs with uf2.net API; links never expire and provide click counts and public stats via simple REST calls.

0· 431·0 current·0 all-time
byS. Rob Beck@setdemos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill's name/description (uf2.net URL shortener) match the provided SKILL.md, API reference, and scripts: it performs link create/list/get/delete and requires an API key. However, registry metadata at the top of the package states 'Required env vars: none' and 'Primary credential: none' while SKILL.md and scripts explicitly require UF2_API_KEY — this mismatch should be corrected.
Instruction Scope
Runtime instructions are narrowly scoped to interacting with the uf2.net API via curl and the included scripts. The SKILL.md does not instruct the agent to read unrelated files or exfiltrate data to unexpected endpoints; it only references storing/using the UF2_API_KEY and using the official uf2.net endpoints.
Install Mechanism
This is an instruction-only skill with an included shell script; there is no install spec that downloads or executes remote archives or packages. No high-risk install URLs or extraction steps are present.
!
Credentials
The script and SKILL.md require a single API credential (UF2_API_KEY), which is appropriate for the stated functionality. The concern is the package-level metadata does not declare this required environment variable; that inconsistency could cause automation or permission checks to miss that a secret is needed. Also the SKILL.md suggests adding the API key to shell profile as one persistence option — users should prefer secure stores.
Persistence & Privilege
The skill does not request always:true or elevated/system-wide privileges and does not modify other skills or system-wide settings. It runs as an on-demand CLI wrapper using environment-provided credentials.
Assessment
This skill appears to do what it says: a small CLI wrapper around uf2.net. Before installing: (1) be aware it requires your uf2.net API key (UF2_API_KEY) — prefer adding that to a secure secret store rather than plaintext shell profiles, (2) the package metadata does not list the required env var (UF2_API_KEY) although the SKILL.md and script require it — treat that as a bookkeeping error and confirm your environment handling, and (3) the included script builds JSON bodies by naive string concatenation (no escaping). That can break on inputs containing quotes/newlines and could cause malformed requests; if you accept untrusted input into the script, consider improving it to safely escape JSON (for example using jq --arg or printf with proper escaping). If you rely on this skill in an automated agent, ensure the agent's secret storage and policy enforce secure handling of UF2_API_KEY and review the script changes above.

Like a lobster shell, security has layers — review code before you run it.

latestvk979pks8n0jm37g4zst12dhfax81tnqgredirectionvk979pks8n0jm37g4zst12dhfax81tnqgseovk979pks8n0jm37g4zst12dhfax81tnqgurlvk979pks8n0jm37g4zst12dhfax81tnqgurl shortenervk979pks8n0jm37g4zst12dhfax81tnqgurl shorteningvk979pks8n0jm37g4zst12dhfax81tnqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments