Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dub.co Links API
v1.0.1Integrates Dub Links API endpoints to create, update, delete, retrieve, list, count, and run bulk operations on short links. Use when the user asks for "dub...
⭐ 0· 600·0 current·0 all-time
byFermin Rodriguez Penelas@ferminrp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (Dub Links API) matches the instructions (calls to https://api.dub.co/links*). However, the SKILL.md repeatedly requires a bearer token (DUB_API_KEY) and examples use curl and jq, yet the skill metadata declares no required env vars or binaries. That mismatch suggests the manifest is incomplete or misleading.
Instruction Scope
SKILL.md confines behavior to /links* endpoints and documents onboarding, token export, and curl/jq usage. The instructions tell an agent to export and use DUB_API_KEY and to run curl commands (including retries), and to parse output with jq. There is no instruction to read or send unrelated system files, but the guidance to 'export' tokens and run shell commands means the agent will handle secrets and invoke network calls — expected for this API but not reflected in declared requirements.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, lowering disk-write/execution risk. The included OpenAPI JSON is a local API spec snapshot (large but expected).
Credentials
The skill requires a bearer token (DUB_API_KEY) to operate per SKILL.md, but the registry lists no required environment variables or primary credential. Asking users to export an API key is reasonable for this integration, but the absence of that declaration is a proportionality/integrity issue: the platform or manifest should explicitly declare the required credential and how it will be stored/used.
Persistence & Privilege
always is false, no install steps, and the skill does not request persistent system-level changes. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to do what it says (operate only on /links endpoints), but the manifest omits important runtime requirements. Before installing: (1) confirm how the platform will collect and store the DUB_API_KEY (the SKILL.md expects you to export it), and prefer a secure credential store rather than pasting into shell history; (2) ensure curl and jq are available where the agent runs (examples assume them); (3) verify the minimal API key permissions/scope on dub.co and avoid using highly privileged keys; (4) ask the publisher to update the skill metadata to declare required env vars (DUB_API_KEY) and required binaries, or decline until that is fixed. These inconsistencies are probably sloppy packaging rather than malicious, but they materially affect security and operational behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk977nzwbd830asbd7h8f97xe0x81cv9v
License
MIT-0
Free to use, modify, and redistribute. No attribution required.