ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawHub Integration

v1.0.0

Use when browsing, searching, installing, or publishing skills to ClawHub (OpenClaw skill registry). ClawHub is like npm for AI agent skills.

0· 33·0 current·0 all-time
by@piuaibot-stack

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for piuaibot-stack/clawhub-integration.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "ClawHub Integration" (piuaibot-stack/clawhub-integration) from ClawHub.
Skill page: https://clawhub.ai/piuaibot-stack/clawhub-integration
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install clawhub-integration

ClawHub CLI

Package manager switcher

npx clawhub@latest install clawhub-integration
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions (search, install, publish against clawhub.ai). However the skill metadata declares no required environment variables or primary credential while the SKILL.md clearly documents and expects a CLAWHUB_TOKEN and optional CLAWHUB_REGISTRY and CLAWHUB_DISABLE_TELEMETRY. That mismatch is inconsistent and should be corrected or explained.
Instruction Scope
The runtime instructions stay on-topic: curl examples, CLI usage, publish API examples, and a recommended SKILL.md format. They do instruct reading a local secure file (~/.secure/clawhub_token) or environment variables for the token, which is appropriate for this purpose. No instructions attempt to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The document suggests installing third-party CLIs via pip or npm (pip install clawhub or npm i -g clawhub) — expected but users should verify the package source before installing globally.
!
Credentials
Although the skill metadata lists no required env vars, the instructions expect CLAWHUB_TOKEN (clh_...) and optionally CLAWHUB_REGISTRY and CLAWHUB_DISABLE_TELEMETRY. A token grants authenticated capabilities (including publishing, updating, uninstalling) on the registry; requiring or using such a credential is proportionate to the publish/install purpose, but the omission from metadata and lack of explicit minimization of token scopes is a red flag—tokens should be least-privilege and declared in metadata.
!
Persistence & Privilege
The skill is not always:true and does not request persistent installation, which is good. However, because the instructions rely on an API token and the skill is allowed to be invoked autonomously, an agent with access to a CLAWHUB_TOKEN could programmatically install/uninstall/publish skills (a high-impact capability). This combination (autonomy + credential access) increases risk and should be considered before granting tokens to the agent.
What to consider before installing
This skill appears to be a legitimate ClawHub integration, but there are a few things to check before using it: - Metadata mismatch: the SKILL.md expects CLAWHUB_TOKEN and related env vars but the skill metadata does not declare them. Treat that as a correctness/attention issue. - Least-privilege token: if you provide CLAWHUB_TOKEN to an agent or environment, create a token limited to only the scopes you need (prefer read-only for browsing/searching). Avoid giving a token that can publish or delete unless necessary. - Avoid global env leakage: don't place tokens in widely accessible/global environment files. Use a secure credential store or a file with strict permissions (chmod 600) as suggested in the doc. - Autonomous risk: because the agent can invoke this skill autonomously, if it has access to a token it could modify registry contents. If you want to allow only manual operations, avoid storing the token in the agent environment or disable autonomous invocation for the agent. - Verify CLI packages: if you run pip install clawhub or npm i -g clawhub, verify the package source and maintainer before installing globally. - Verify ownership and endpoints: the SKILL.md points to https://clawhub.ai/api/v1 and an owner id but no homepage/source repository is provided; consider verifying the registry/site and owner identity before publishing or installing sensitive packages. If you need higher assurance, ask the skill author to update metadata to declare CLAWHUB_TOKEN as a required credential, provide a homepage/source link, and document recommended token scopes. Revoke any token you hand to the agent if you later suspect misuse.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ct0x0a1xj1a9rt9bx3zq94s85nnb2
33downloads
0stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@piuaibot-stack
latest
Download

ClawHub Integration

ClawHub (clawhub.ai) is the skill registry for OpenClaw agents — like npm but for AI agent skills.

Base URL

https://clawhub.ai/api/v1

Authentication

  • Token format: clh_<token> as Bearer token
  • Generate token: Login at clawhub.ai → Settings → API Tokens
  • Store in env: CLAWHUB_TOKEN=clh_xxx
  • Validate: GET /api/v1/whoami
curl -H "Authorization: Bearer $CLAWHUB_TOKEN" https://clawhub.ai/api/v1/whoami

Security Considerations

When working with API tokens, especially in automated environments or with AI agents, be aware of the following security considerations:

  1. Token Storage: Never store tokens directly in scripts or commands. Use environment variables or secure credential storage.

  2. Secure Token Usage:

# Read token from secure file or environment variable
TOKEN=$(cat ~/.secure/clawhub_token)
curl -H "Authorization: Bearer $TOKEN" https://clawhub.ai/api/v1/whoami

# Or use environment variable
curl -H "Authorization: Bearer $CLAWHUB_TOKEN" https://clawhub.ai/api/v1/whoami

  1. Security Scanning: Many environments now scan for exposed credentials. If you encounter security warnings:

    • Do not bypass security checks
    • Use proper credential management practices
    • Store tokens in secure files with restricted permissions (chmod 600)
    • Use credential helpers when available

  2. Token Permissions: Ensure your token has only the minimum required permissions for the tasks you need to perform.

Search Skills (No auth needed)

# Search by keyword
curl "https://clawhub.ai/api/v1/search?q=github+automation"

# List all skills
curl "https://clawhub.ai/api/v1/skills"

# Get specific skill
curl "https://clawhub.ai/api/v1/skills/{slug}"

# Download skill
curl "https://clawhub.ai/api/v1/download?slug=my-skill" -o skill.zip

Install via CLI

# Install clawhub
pip install clawhub
# or: npm i -g clawhub

# Login
clawhub login                     # browser OAuth via GitHub
clawhub login --token clh_xxx     # headless token login

# Browse & Install
clawhub search "calendar"         # search by keyword
clawhub explore                   # list recently updated
clawhub inspect <slug>            # preview before install
clawhub install <slug>            # download and install
clawhub list                      # show installed skills
clawhub update [slug]             # update skill
clawhub uninstall <slug>          # remove skill

Publish a Skill

# Via CLI
clawhub skill publish ./my-skill-folder

# Via API (multipart form)
curl -X POST https://clawhub.ai/api/v1/skills \
  -H "Authorization: Bearer $CLAWHUB_TOKEN" \
  -F "slug=my-skill" \
  -F "version=1.0.0" \
  -F "files[]=@SKILL.md"

SKILL.md Format for Publishing

---
name: skill-name
description: What this skill does and when to use it
version: 1.0.0
author: Kintama
license: MIT
metadata:
  hermes:
    tags: [tag1, tag2]
    related_skills: [other-skill]
required_env:
  - API_KEY
required_binaries:
  - python3
---

# Skill Name
Content here...

Rate Limits

  • Anonymous: 180 reads/min, 45 writes/min
  • Authenticated: 900 reads/min, 180 writes/min

Environment Variables

CLAWHUB_TOKEN=clh_xxx           # API token
CLAWHUB_REGISTRY=               # Override registry URL (optional)
CLAWHUB_DISABLE_TELEMETRY=1     # Disable tracking

Comments

Loading comments...