Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
skill9
v0.1.0Cloud-synced skill vault — backup, version, and sync your AI agent skills across machines and platforms. Use when user wants to backup, sync, version-control...
⭐ 0· 17·0 current·0 all-time
bySkill9@shonge
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared goal (backup/version/sync skills) matches the actions described (push/pull of skill directories, hooks). However the SKILL.md and SETUP.md recommend two different install mechanisms (npm global package and curl/wget installer), and the registry metadata contains no install spec or source repository to verify the CLI — that mismatch is unexpected.
Instruction Scope
Runtime instructions direct the user/CLI to read whole skills directories for multiple platforms (~/.openclaw, ~/.claude, Cursor paths), to add hooks that run 'skill9 push' automatically, and to push after every change. That behavior can legitimately back up skills but also creates a straightforward path to exfiltrate any sensitive data present inside skill directories (credentials, tokens, config). The instructions give wide discretion without detailing what is excluded from uploads or what OAuth scopes are requested.
Install Mechanism
There is no install spec in the registry, yet SETUP.md tells you to 'npm install -g skill9' and UNINSTALL.md links to piping an installer from https://skill9.ai/install.sh. Installing arbitrary packages globally from npm or piping a remote shell script are high-risk operations when the publisher and source are not verifiable. The skill references an unknown domain (skill9.ai) and no canonical repository or release host is provided.
Credentials
The registry declares no required environment variables, but the instructions require GitHub OAuth login (skill9 login --github) and write/read access to multiple local config and skill paths. Those accesses are proportionate to a backup tool in principle, but the skill does not document scopes, what is excluded from backups, or how credentials are stored, so the requested accesses could expose unrelated secrets. No primary credential is declared despite OAuth usage being central to operation.
Persistence & Privilege
The skill intends to add hooks into platform configuration files (OpenClaw AGENTS.md, .claude/settings.json, .cursor/hooks.json) so backups run automatically. That is within the stated purpose, and 'always' is false. Still, modifying those config files creates persistent behavior and increases risk if the remote CLI or service is malicious — the combination of automatic hooks + remote installer is noteworthy.
What to consider before installing
Do not install or run this CLI yet. Ask the publisher for a verifiable source (public repository or official package page), and inspect the CLI code (or its install script) before installing. If you test it, do so from an isolated environment or VM, and do not grant it OAuth scopes that allow access to repositories or secrets without reviewing them. Verify what paths will be uploaded and whether the tool excludes credential files; prefer installing from known package sources with pinned versions rather than piping unknown scripts to sh. If you plan to use it, request documentation of OAuth scopes and a way to restrict what is backed up (e.g., a whitelist/ignore list) and confirm that the registry entry includes an install spec and homepage/source repo.Like a lobster shell, security has layers — review code before you run it.
latestvk9735dr9ncm7d0d27tbzxetptn84k612
License
MIT-0
Free to use, modify, and redistribute. No attribution required.