ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Help.Center Article Management

v1.0.0

When the user wants to create, update, read, or manage help center articles via the Help.Center API. Use when the user says "write a help article", "update t...

0· 331·0 current·0 all-time
by@shyjal
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md are coherent: the instructions and example curl calls target a Help.Center API for searching, creating, updating, publishing, and deleting articles, which matches the stated purpose.
!
Instruction Scope
The SKILL.md explicitly instructs the agent to ask the user for an API key and Center ID and to export them as HC_API_KEY and HC_CENTER_ID for the session. However, the skill registry metadata lists no required environment variables. The instructions otherwise stay within the Help.Center API domain and do not request unrelated files or endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing is downloaded or written to disk by the skill itself (lowest install risk).
Credentials
Requiring an API key and center identifier is proportionate to the described functionality. However, the metadata's failure to declare these env vars is an inconsistency. The SKILL.md also recommends wide scopes (including content.delete); users should prefer least-privilege keys (e.g., omit delete/publish if not needed).
Persistence & Privilege
The skill does not request always:true, does not require system config paths, and is user-invocable with normal autonomous invocation settings. It does not request persistent system privileges.
What to consider before installing
This skill appears to be what it says (a Help.Center article manager) and uses only the Help.Center API endpoints in SKILL.md, but note two issues: (1) The runtime docs instruct the agent to ask for and export HC_API_KEY and HC_CENTER_ID, yet the skill metadata lists no required env vars — treat that as a sloppy/incomplete manifest. (2) The SKILL.md recommends creating API keys with broad scopes (including delete and publish). Before installing, confirm the skill's source (the README references a GitHub repo — verify it), only provide a key with the minimal scopes required for your use case (avoid content.delete unless you need deletion), and consider creating a scoped, revocable API key or test center account. If you need higher assurance, ask the skill author to update the manifest to declare the required env vars and to document scope recommendations and secure handling of keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ewjxjajj1djsy53ah227cqn8246tf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments