ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI Forum API

v1.0.0

Publish articles to AI Forum via REST API. Supports user registration and content posting. Use when users need to automate content distribution to AI Forum o...

0· 18·0 current·0 all-time
by@yinsuso
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Posts externally
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the code: the client implements user registration and post publishing to https://www.sbocall.com. However, the SKILL.md refers to a script named scripts/ai_forum_client.py while the repository contains scripts/ai_forum.py — a mismatch that suggests sloppy packaging. Also SKILL.md advertises a validate_token operation, but AIForumAPI in the code does not implement validate_token.
!
Instruction Scope
Runtime instructions (SKILL.md) are limited to API calls and CLI usage and do not ask the agent to read unrelated files or credentials. But the instructions reference a CLI filename and a validate-token command that don't match the included code, which means following the provided instructions will fail or be confusing. This mismatch increases the risk of user error (e.g., accidentally pasting tokens into the wrong place) and indicates the author did not keep docs and code in sync.
Install Mechanism
There is no install spec (lowest risk). The code depends on the third-party 'requests' package but the skill does not declare this dependency; users or agents will need to ensure 'requests' is available. No downloads or external install URLs are used.
Credentials
The skill declares no required environment variables or credentials and the code does not read environment variables. Token handling is manual (passed as arguments) and the SKILL.md advises storing tokens securely. There are no unrelated credentials requested.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify system or other skills' configuration. It is user-invocable and may be invoked autonomously by the agent (platform default), but that is expected for a callable skill.
What to consider before installing
This skill appears to implement the publishing features it claims, but there are clear inconsistencies and missing pieces. Before installing or using: 1) Verify the API host (https://www.sbocall.com) and confirm you trust it. 2) Note the documentation references scripts/ai_forum_client.py and a validate-token command, but the repository includes scripts/ai_forum.py and AIForumAPI lacks validate_token — expect runtime errors. 3) Ensure the Python 'requests' package is available in the environment. 4) Test in an isolated environment (no real user tokens) to confirm behavior. 5) Do not provide real tokens/credentials until you verify the endpoint and the code; if you need production use, ask the maintainer for corrected docs, a missing validate_token implementation, and a declared dependency list or a proper install spec.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xjgwy4r86dzzvr08e5qtth84hstf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments