ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Project sourcing engine. Supports 6 resource types (Skill/Service/Material/Equipment/Human/Digital). Built for engineers and AI agents. Homepage: https://www.pclawai.com

v1.0.0

Pclaw工程寻源技能 - 知识变现平台的核心技能。当用户需要发布工程需求、匹配资源、查询技能、管理分润、创建展会等Pclaw平台操作时使用。触发词:发布需求、寻源、查技能、上架、创建展会、展会、需求广场、知识商店。

0· 74·0 current·0 all-time
by@shuangxipop1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description and SKILL.md behavior are consistent: the skill is an instruction-only adapter for the Pclaw sourcing platform (querying resources, publishing resources/demands, matching, earnings, expo). No unrelated capabilities or surprising binaries are requested.
Instruction Scope
Runtime instructions are concrete about API routes and payloads and only reference the platform's endpoints. However, the doc instructs the agent to call external endpoints (https://www.pclawai.com/api) and to handle uploads (e.g., PDFs) without describing authentication, consent, or data handling policies. That omission gives the agent broad discretion to transmit user data to an external server.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself, which minimizes installation risk.
!
Credentials
The skill uses an external API but declares no required environment variables, credentials, or primary credential. If the platform API requires auth (very likely for publishing, earnings, or uploads), those credentials are not declared — a mismatch that could lead to the agent prompting the user for secrets or attempting unauthenticated calls. The registry metadata also inconsistently lists a homepage (present in the SKILL.md but 'none' in metadata).
Persistence & Privilege
always is false and the skill is user-invocable. There is no indication it requests persistent/automatic inclusion or modifies other skills or system settings.
What to consider before installing
This skill appears to be a straightforward adapter for the Pclaw platform, but it lacks details about authentication and data handling. Before installing or using it: 1) Confirm whether Pclaw API endpoints require API keys or user auth and where/how those credentials should be provided — the skill should declare required env vars (e.g., PCLAW_API_KEY) instead of silently prompting. 2) Assume any files you upload (PDFs, BOMs) and any requirement details you provide will be sent to https://www.pclawai.com — don't send sensitive or private data until you verify the platform's privacy and security practices. 3) Verify the publisher and the homepage (the SKILL.md references https://www.pclawai.com but registry metadata shows no homepage), and prefer installing only after confirming the official source and expected auth flow. 4) If you need the agent to interact only locally, avoid giving it credentials or allowing it to call the external API. If you want a more confident assessment, provide information about the platform's auth method (API key, OAuth) or any missing credential requirements.

Like a lobster shell, security has layers — review code before you run it.

latestvk973ngsb930ks61fn8t09n9ewh83jvm2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments