ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Alter Actions

v1.0.0

Trigger Alter macOS app actions via x-callback-urls. Catalog of 84+ actions including ask-anything, translate, summarize, grammar correction, and more.

0· 2.1k·2 current·2 all-time
by@olivieralter
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose—building and triggering alter:// x-callback-urls on macOS—matches the SKILL.md content and the darwin OS requirement. However, the Quick Start examples show commands like `node index.js trigger ...` and the file documents functions (triggerAction, findActions, buildCallbackUrl) while the package contains no code files. Requiring a Node CLI when no code is present is inconsistent.
Instruction Scope
Instructions focus on constructing and triggering x-callback URLs for the Alter macOS app, which is within the stated purpose. They do not instruct reading arbitrary system files or requesting unrelated credentials. Note: several actions (e.g., extract-mails, extract-names/extract-any) are capable of extracting personal data from supplied inputs; while that's part of the app's advertised functionality, users should expect sensitive input may be forwarded to the app when invoked.
Install Mechanism
There is no install specification and no code files, so nothing is written to disk by an installer — this is the lowest-risk install posture. The absence of an install spec also contributes to the incoherence with CLI usage examples.
Credentials
The skill declares no environment variables, no credentials, and no config paths. That is proportionate for a skill that builds/opens x-callback URLs to drive a local macOS app.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill does not request elevated platform persistence or to modify other skills or system-wide settings.
What to consider before installing
This skill appears to be an instruction-only adapter for triggering Alter macOS app actions via alter:// x-callback URLs. However, the SKILL.md includes CLI examples (node index.js ...) and named helper functions but there are no code files or install steps included — the bundle looks incomplete or mispackaged. Before installing or enabling this skill: 1) Ask the publisher for the missing code (index.js or equivalent) or a clear explanation of how the agent is expected to execute the described commands. 2) Be cautious about feeding sensitive data: many actions (e.g., extract-mails, extract-names) are designed to extract personal information and would send that data to the Alter app via the URL scheme. 3) Verify you trust the Alter app and its handlers on your macOS device, since opening alter:// URLs will invoke that local app. 4) If you cannot obtain the missing implementation, treat the skill as incomplete and avoid enabling it for autonomous use. If you want, I can draft specific questions to ask the publisher or suggest a minimal safe implementation that the skill could include.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bw516ja1c5qyw53pk0rbnvs7zxdsp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌀 Clawdis

Comments