ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ai Specialists

v1.1.0

Interact with AI Specialists via the AI Specialists Hub MCP endpoint. Use when the user asks about any of their AI specialists (e.g. Ruby, Peter, Benjamin, M...

0· 632·1 current·1 all-time
byErik Ashby@erikashby
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims no required binaries or environment variables, but includes a shell helper (scripts/mcp-call.sh) that clearly depends on curl and python3. That discrepancy (packaging says 'none' but shipped code requires network and Python tooling) is unexpected and should be explained by the author.
!
Instruction Scope
SKILL.md directs the agent to call an external MCP endpoint (https://aispecialistshub.com) and to perform agent-initiated account signup (generate/collect username, email, password) and to store the resulting MCP endpoint URL in TOOLS.md. Asking the agent to create accounts and handle credentials, and to persist them into a repo/config file, broadens the skill's operational scope and raises privacy/storage concerns.
Install Mechanism
This is an instruction-only skill (no install spec). Nothing is downloaded or extracted during install, which reduces supply-chain risk. The included script will be available but not auto-installed.
Credentials
The skill does not request environment variables or external credentials up front, which is consistent. However, it instructs creating accounts that produce sensitive credentials (username/password/mcpKey) and to persist the MCP URL (containing a key) in TOOLS.md — this is sensitive and should be treated as such. The skill does not justify why credentials must be stored in a plain TOOLS.md file.
Persistence & Privilege
always:false and normal invocation settings are appropriate. The skill asks the agent to write the MCP endpoint into TOOLS.md (agent config/documentation) — this is a modest persistence action but not an elevated platform-level privilege. Consider whether storing keys in TOOLS.md is acceptable in your environment.
What to consider before installing
This skill appears to do what it says (talk to an AI Specialists MCP endpoint) but has a few red flags you should consider before installing: - Verify the external service: aispecialistshub.com is the endpoint used for signup and MCP calls. Confirm you trust this domain and its operators before allowing the agent to create accounts or send data to it. - Tooling mismatch: the bundled script requires curl and python3 even though the skill metadata lists no required binaries. Ensure those binaries are present and review the script before running it. - Credentials handling: the skill supports agent-initiated signup and instructs the agent to generate/collect username, email, password, and an mcpKey, then store an MCP URL (containing the key) in TOOLS.md. Decide whether you want the agent creating accounts on your behalf and whether storing keys in TOOLS.md (likely plaintext) is acceptable. If not, require manual signup and manual injection of the MCP URL. - Least privilege: if you proceed, restrict network access where possible, require human approval before auto-signup, and avoid letting the agent persist credentials to public or shared repositories. If you want higher confidence, ask the skill author to (1) update metadata to declare required binaries (curl, python3), (2) document why credentials must be stored in TOOLS.md and offer a safer storage option, and (3) provide an audited privacy/security statement for aispecialistshub.com. If those items are addressed, the skill would be closer to benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abw2w26b24wh3kd2cy5haq181jhqs
632downloads
0stars
2versions
Updated 6h ago
v1.1.0
MIT-0
Erik Ashby@erikashby
latest
Download

AI Specialists Hub - MCP Integration

Connection

Call the MCP endpoint via HTTP POST. The endpoint URL is stored in TOOLS.md or provided by the user.

curl -s -X POST "$MCP_URL" \
  -H "Content-Type: application/json" \
  -H "Accept: application/json, text/event-stream" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"TOOL_NAME","arguments":{...}}}'

Critical headers: Must include Accept: application/json, text/event-stream or the server returns 406.

Response format: SSE — parse with: response.split('data: ')[1] → JSON → result.content[0].text

Available Tools

Discovery & Management

ToolRequired ParamsDescription
list_specialistsList all hired specialists
list_specialist_typesList available specialist types
hire_specialisttype, nameHire a new specialist
dismiss_specialistspecialistRemove a specialist
import_specialisturlImport from GitHub URL
get_specialist_overviewspecialistGet specialist summary

Workspace Navigation

ToolRequired ParamsDescription
explore_specialist_treespecialistFull folder/file tree
list_specialist_folderspecialist, folder_pathList folder contents

Document Operations

ToolRequired ParamsDescription
read_specialist_documentspecialist, document_pathRead one document
read_specialist_documentsspecialist, document_paths (array)Bulk read multiple docs
update_specialist_documentspecialist, document_path, contentCreate or update a doc
delete_specialist_documentspecialist, document_pathDelete a document

Folder Operations

ToolRequired ParamsDescription
create_specialist_folderspecialist, folder_pathCreate folder (recursive)
delete_specialist_folderspecialist, folder_pathDelete folder and contents

Parameter note: The specialist identifier is always the id field from list_specialists, not the display name. Use lowercase (e.g. ruby, peter, benjamin).

Working with a Specialist

Every specialist has an ai-instructions/ folder containing their identity and behavioral instructions. Always read these first when working with a specialist you haven't loaded yet:

ai-instructions/
├── core-instructions.md    # Who they are, what they do, how they behave
└── getting_started.md      # Initialization sequence, workspace structure

Pattern: First interaction with a specialist

  1. list_specialists → find the specialist id
  2. read_specialist_documents → read ai-instructions/core-instructions.md and ai-instructions/getting_started.md
  3. Understand their domain, workspace structure, and communication style
  4. explore_specialist_tree → see their full workspace
  5. Now you can work with their data informed by their context

Pattern: Quick data retrieval

  1. explore_specialist_tree → find the files you need
  2. read_specialist_documents → bulk read (more efficient than individual reads)
  3. Summarize for the user

Pattern: Updating specialist data

  1. Read the existing document first
  2. Modify content as needed
  3. update_specialist_document → write back (creates if new, overwrites if existing)
  4. For new folders: create_specialist_folder first, then write documents into it

User Signup (Agent-Initiated Onboarding)

If your human doesn't have an AI Specialists Hub account yet, you can create one via the public signup API:

curl -s -X POST "https://aispecialistshub.com/api/v1/signup" \
  -H "Content-Type: application/json" \
  -d '{"username":"<username>","email":"<email>","password":"<password>"}'

Response (201):

{
  "username": "...",
  "mcpKey": "...",
  "accountStatus": "unverified",
  "specialistLimit": 2,
  "message": "..."
}

⚠️ CRITICAL: Credential Handoff

You MUST provide all credentials to the human. Whether you auto-generate the username/email/password or ask the human to choose them, the human must receive:

  1. Username — for web dashboard login at aispecialistshub.com
  2. Email — used for account verification
  3. Password — for web dashboard login
  4. MCP key — for connecting AI tools to their specialists

Never keep credentials from the human. They own the account. Present all four clearly after signup.

Unverified Accounts

  • Limited to 2 specialists (default: Friday is auto-hired)
  • Full MCP access — specialists work immediately
  • Can log in to web dashboard with username/password
  • Verify email for full access (more specialists)

Signup Flow

  1. Confirm the human wants an AI Specialists Hub account
  2. Collect or generate: username, email, password
  3. Call POST /api/v1/signup
  4. Give the human ALL credentials (username, email, password, MCP key)
  5. Store the MCP endpoint URL in your config: https://aispecialistshub.com/api/v1/mcp/<username>/<mcpKey>
  6. Start using specialists via MCP

Configuration

Store the MCP endpoint URL in TOOLS.md:

### AI Specialists Hub
- MCP endpoint: https://aispecialistshub.com/api/v1/mcp/<user>/<key>

See references/specialists-guide.md for details on specialist workspace conventions.

Comments

Loading comments...