ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Automated Response Rule

v1.0.0

Implement Automated Response Rule using OrbCafe UI (CustomizeAgent). Enterprise-grade React component with built-in best practices.

0· 169·1 current·1 all-time
by@shenruiyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (implement an Automated Response Rule using OrbCafe UI) matches the SKILL.md content: a short guide and code snippet showing how to install and use the CustomizeAgent component. No unrelated binaries, env vars, or privileges are requested.
Instruction Scope
SKILL.md only instructs to install the orbcafe-ui npm package and shows a small React/TSX usage example. It does not ask the agent to read files, access credentials, or send data to external endpoints beyond the expected npm registry.
Install Mechanism
The skill is instruction-only and has no install spec; it tells users to run npm/pnpm to fetch orbcafe-ui from the public registry. This is normal, but npm package supply-chain risks (malicious/misconfigured packages or harmful postinstall scripts) are a general concern and should be considered before installing any third-party package.
Credentials
No environment variables, credentials, or config paths are required by the skill — this is proportionate to its stated purpose (a UI component usage guide).
Persistence & Privilege
The skill is not always-enabled and does not request persistent or elevated privileges. It is instruction-only and does not modify other skills or system configuration.
Assessment
This is a simple, instruction-only skill that shows how to install and use the orbcafe-ui CustomizeAgent component. Before installing the npm package yourself, verify the orbcafe-ui package on the npm registry (maintainer, version, downloads, recent changes), inspect its README and package.json for postinstall scripts, pin a specific version in your lockfile, run an audit (npm audit / third-party scanner), and if possible test in a sandbox environment. Because the skill is only documentation and requests no secrets, there is low risk from the skill itself — the main supply-chain risk comes from the npm package you choose to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fpg604ryq0qdaemed8d1j7s82wh70

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments