ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Analytics Platform Base

v1.0.0

Implement Analytics Platform Base using OrbCafe UI (CAppPageLayout). Enterprise-grade React component with built-in best practices.

0· 163·0 current·0 all-time
by@shenruiyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description ask for implementing an Analytics Platform Base with OrbCafe UI; the SKILL.md provides exactly that guidance (installation command and usage example). There are no unrelated requirements (no env vars, binaries, or config paths).
Instruction Scope
Runtime instructions are limited to installing the orbcafe-ui npm package and showing a TypeScript example using CAppPageLayout. The document does not instruct reading arbitrary files, exfiltrating data, or accessing unrelated system state.
Install Mechanism
The skill itself has no install spec (lowest risk) but tells the user to run npm/pnpm to install orbcafe-ui. This is coherent for a UI library, but installing any third-party npm package can execute package scripts (postinstall), so users should vet the package source before installing into sensitive environments.
Credentials
No environment variables, credentials, or config paths are requested. The absence of secrets or unrelated credentials is proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled, does not request persistent agent privileges, and contains no instructions to modify other skills or system-wide settings.
Assessment
This skill is an instructional snippet that tells you to install the orbcafe-ui npm package and shows example usage. Before installing the package into a project or build system: (1) verify the package's repository and publisher on npm, (2) review the package.json for postinstall scripts or unexpected dependencies, (3) pin a specific version and use a lockfile, (4) run npm audit / vulnerability scans and consider installing in an isolated environment, and (5) check license and maintenance status. The skill itself does not request secrets or perform privileged actions, but installing third-party npm packages always carries the usual supply-chain risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk979x9etyn18ffskj4v9jqndx582x1xv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments