ClawHub

Dubai

v1.0.0

Navigate Dubai as visitor, resident, tech worker, student, or entrepreneur with neighborhoods, transport, costs, visas, and local insights.

2· 497·1 current·2 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Skill name/description (Dubai guide for visitors, residents, workers, entrepreneurs) align with the bundled markdown files. There are no binaries, installs, or environment variables requested — everything is internal content for city guidance.
!
Instruction Scope
The SKILL.md provides clear runtime instructions (identify user role, load relevant auxiliary files) and stays within the stated purpose. However, the pre-scan detected unicode-control-chars inside SKILL.md; such invisible characters are a known vector for prompt-injection or obfuscation of hidden instructions. Because this skill is instruction-only, hidden characters in SKILL.md could meaningfully alter an agent's behavior.
Install Mechanism
No install spec and no code files — minimal disk/write risk. Instruction-only skills carry lower install risk.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There are no disproportionate secret or system access demands.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent system-level privileges or to modify other skills. Autonomous invocation combined with hidden prompt content increases risk, but that is a composition of two factors (normal invocation + suspicious SKILL.md), not a mis-declared privilege.
Scan Findings in Context
[unicode-control-chars] unexpected: The regex scanner found unicode control characters in SKILL.md. These characters are not necessary for a city guide and can be used to hide additional directives or manipulate prompt parsing. Because the skill is instruction-only, hidden characters could change agent behavior at runtime; human review of the raw file is recommended.
What to consider before installing
This skill appears to be a straightforward Dubai guide: the files and SKILL.md content align with the description, it asks for no credentials, and it doesn't install software. The main red flag is the scanner finding of unicode control characters in SKILL.md — invisible characters can hide instructions intended to change what the agent does. Before installing or enabling this skill: (1) ask the publisher for provenance (who authored it); (2) inspect the raw SKILL.md bytes for unusual / zero-width / control characters and remove them or sanitize the file; (3) run the skill in a restricted/sandboxed agent first (no access to sensitive systems or credentials); and (4) if you lack the ability to inspect/sanitize, treat it as untrusted and avoid enabling autonomous invocation. If you want, I can scan SKILL.md for invisible characters and show their locations or provide a sanitized copy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fq78reebkrk4gfsdqe046g181cxj1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏙️ Clawdis
OSLinux · macOS · Windows

Comments