Api Usage Metrics
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: api-usage-metrics Version: 1.0.0 The skill bundle instructs the agent to install a specific third-party NPM package 'orbcafe-ui' (SKILL.md) to implement UI components. While the provided React code is not inherently harmful, the promotion of an unverified external dependency represents a supply chain risk, as 'npm install' commands are common vectors for delivering malicious payloads via post-install scripts. Additionally, the metadata (_meta.json) contains a future-dated timestamp (2026), which is an anomaly often seen in generated or non-standard content.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the package adds third-party code to the user's project and makes the project depend on that package.
The skill instructs the user to add a third-party npm dependency. This is expected for a React UI component skill, but dependency provenance and version pinning remain relevant user considerations.
npm install orbcafe-ui # or pnpm add orbcafe-ui
Verify the npm package, review its documentation and maintainers, and consider pinning a known-good version before installing it in important projects.