ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

SchemGuard

v0.1.2

Detect breaking changes in OpenAPI specs. Use when reviewing API changes, validating PRs that modify API specs, checking backward compatibility, or linting O...

0· 466·0 current·0 all-time
by@sethclawd-prog
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md shows npx commands invoking @sethclawd/schemaguard for diff, lint, and CI checks. Requiring npx is proportional to the stated goal.
Instruction Scope
Instructions are narrowly scoped to running the tool against OpenAPI spec files (old.yaml, new.yaml, openapi.yaml). The doc includes an MCP server mode (--mcp) that exposes command handlers; the file doesn't describe network bindings or auth, so you should confirm what that server exposes before running it in sensitive environments.
Install Mechanism
This is an instruction-only skill with no bundled code. It relies on npx to fetch and run the @sethclawd/schemaguard npm package at runtime. That is coherent with the purpose but carries the usual npm/supply-chain risk because the package code isn't included for inspection here.
Credentials
No environment variables, credentials, or config paths are requested. The declared requirements are minimal and appropriate for a CLI tool that operates on local spec files.
Persistence & Privilege
always:false (default) and no install hooks or modifications to other skills are present. Nothing in SKILL.md requests permanent elevated presence or cross-skill config changes.
Assessment
This skill appears coherent for checking OpenAPI compatibility. Before installing or running it: (1) verify the npm package @sethclawd/schemaguard (owner, popularity, source code, recent release) because npx will fetch code from the registry at runtime; (2) be cautious running the --mcp server mode — check what network ports it binds to and whether it requires authentication; (3) run the tool in a sandbox or CI runner with limited permissions when first testing; and (4) avoid pointing it at sensitive files or credentials until you review the package source or vendor reputation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ers41gks2dc730z9d3jj60s81j4f6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpx

Comments