ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cuihua Config Validator

v1.0.0

AI-powered configuration validator. Automatically validate JSON/YAML configs, detect conflicts, and suggest best practices.

0· 77·0 current·0 all-time
by@supermario11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
SKILL.md advertises JSON/YAML validation, environment-variable analysis, conflict detection, and best-practice suggestions, but the only shipped code (validator.js) performs a single JSON.parse on one file and prints validity. YAML parsing, .env analysis, conflict detection, and recommendations are not implemented. Requiring only node is coherent, but the feature listing is disproportionate to the actual implementation.
Instruction Scope
The runtime instructions describe scanning package.json, .env, docker-compose.yml, and custom YAML/JSON formats. The instructions themselves do not instruct any broad or sensitive actions (no network calls, no reading of arbitrary system state beyond files the user asks to validate). However, because the implementation doesn't match the documented scope, the agent might claim capabilities it cannot actually perform — that mismatch is the main concern.
Install Mechanism
No install spec is provided and the skill is instruction+small script only; required binary 'node' is appropriate for the provided validator.js. No remote downloads or archive extraction are present.
Credentials
The skill requests no environment variables or credentials, which is appropriate given the declared purpose. The SKILL.md mentions analyzing environment variables (e.g., .env files) but does not request secrets or elevated access — that analysis would be file-based and is not implemented in the code.
Persistence & Privilege
The skill does not request persistent presence (always: false) and does not modify other skills or system-wide configuration. Autonomous invocation is allowed (default) but is not combined with other concerning privileges or credential access.
What to consider before installing
This skill over-promises: its docs claim many AI-driven checks, but the included code only does a basic JSON syntax check. Before installing or using it, ask the author for the missing implementation or a source/homepage; review or run the validator.js locally in a sandbox to confirm behavior; do not rely on it to validate YAML, .env files, or provide security recommendations until those features are actually implemented and auditable. If you need the advertised capabilities now, prefer a well-known tool or library that explicitly implements YAML parsing and secret scanning.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vthvxwhmenstnrt2gppk5183gtsg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments