ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Api Usage Metrics

v1.0.0

Implement API Usage Metrics using OrbCafe UI (CStandardPage). Enterprise-grade React component with built-in best practices.

0· 209·0 current·0 all-time
by@shenruiyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the SKILL.md: it shows how to use CStandardPage from the orbcafe-ui package to implement an API Usage Metrics page. There are no unrelated credentials, binaries, or install steps requested beyond installing the named npm package.
Instruction Scope
SKILL.md only shows npm/pnpm install instructions and a minimal React/TypeScript usage snippet. It does not instruct reading unrelated files, accessing environment variables, or transmitting data to unexpected endpoints.
Install Mechanism
There is no automated install spec in the skill (instruction-only). The document recommends installing orbcafe-ui from the npm registry, which is proportionate for a UI component. No arbitrary download URLs or extraction steps are present.
Credentials
The skill declares no required environment variables, credentials, or config paths; the instructions do not reference any secrets. Requested permissions are proportional to a UI library usage guide.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. It does not request permanent presence or modify other skills or system-wide settings.
Assessment
This skill is an instructional snippet telling you to install and import the orbcafe-ui npm package and is internally consistent. Before installing the package yourself: verify the npm package name and publisher (watch for typosquatting), review the package README and source repository if available, pin a specific version, run npm audit, and consider installing in a disposable/dev environment first (npm packages can run install/postinstall scripts). Because the skill is instruction-only and requests no credentials, its immediate risk is low, but the safety of using it depends on the third-party npm package you install.

Like a lobster shell, security has layers — review code before you run it.

latestvk977dxvv0kgb9xgmfhw3jcykrd82xshn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments