ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CLI-Hub Skill for CLI-Anything

v1.0.1

Discover agent-native CLIs for professional software. Access the live catalog to find tools for creative workflows, productivity, AI, and more.

0· 622·7 current·7 all-time
byYuhao@yuh-yang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and runtime instructions all match: this is a CLI package catalog/manager that uses pip to install per-tool packages (cli-anything-<name>), which is coherent for the stated purpose.
Instruction Scope
SKILL.md only instructs using pip and the cli-hub tool; it does not ask the agent to access unrelated files or secrets. However it instructs installing and running third-party CLI packages, which can execute arbitrary code on the host — behaviour expected for a package manager but outside the skill's ability to sandbox or vet.
!
Install Mechanism
No install spec in the skill bundle itself, but the instructions tell users/agents to run 'pip install cli-anything-hub' and then to install packages resolved from a live catalog hosted at https://clianything.cc/SKILL.txt (an unfamiliar domain). This implies downloading and installing potentially unreviewed pip packages; the catalog host is not a well-known release host and could direct installs to arbitrary packages.
Credentials
The skill declares no required credentials, binaries, or config paths and the SKILL.md does not request any secrets or unrelated environment access.
Persistence & Privilege
Skill flags are normal (always: false, autonomous invocation allowed). It does not request elevated or persistent platform privileges in the metadata.
What to consider before installing
This skill appears to be a legitimate CLI marketplace, but it works by having you (or the agent) pip-install third-party packages discovered via an external catalog. Before installing or letting an agent install packages: verify the project on PyPI and the linked GitHub repo (inspect package source), confirm the catalog domain (clianything.cc) is legitimate, prefer installing inside a disposable virtual environment or container, avoid running installs as root, and review the one-line install commands the catalog provides. If you plan to allow autonomous agent actions, restrict that capability until you’ve verified the packages and catalog origin.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dn8sfhtysc4m6e9b0xytpan84j8gm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments