ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FastMode CMS - Host, Deploy, Manage Websites for Free

v1.5.3

Build, deploy, and host websites for free with full CMS. Create a live website from scratch, deploy it to the cloud with free hosting, free SSL, and custom d...

2· 801·0 current·0 all-time
by@arihgoldstein
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a CLI that creates, deploys, and manages websites (including OAuth login, storing credentials at ~/.fastmode/credentials.json, project creation, schema sync, deploy). Those capabilities are coherent with the stated purpose. However, the registry metadata says 'required binaries: none' and 'No install spec', while the SKILL.md metadata declares a required binary 'fastmode' and an npm install for 'fastmode-cli' — an internal mismatch that should be resolved.
Instruction Scope
Runtime instructions are focused on the declared purpose (running fastmode commands to create projects, sync schema, deploy, connect domains). They instruct a one-time browser OAuth and persistence of credentials locally, which is expected but sensitive. The instructions do not explicitly direct reading unrelated system files or environment variables, but they do require access to the user's working files (HTML/templates) and the ~/.fastmode credentials file.
!
Install Mechanism
The registry lists no install spec, but the SKILL.md metadata suggests installing an npm package (fastmode-cli) and requires the fastmode binary. If installed automatically, npm packages are moderate risk (unreviewed third-party code). The mismatch between 'no install spec' and the embedded npm install hint is a red flag — it's unclear whether the platform will install anything or the agent is expected to. Verify the package origin, maintainers, and integrity before installing.
Credentials
The skill requests no environment variables or external credentials in the registry, which is proportional. However, it relies on OAuth-managed credentials persisted at ~/.fastmode/credentials.json. Those tokens are sensitive; the skill will need them to act on the user's behalf. There are no unrelated credential requests, but the local credentials file is a potential exfiltration target if the agent or CLI is compromised.
Persistence & Privilege
always:false and no install spec in the registry mean the skill does not demand permanent platform presence. The only persistent artifact mentioned is the CLI's own credentials file (~/.fastmode/credentials.json), which is normal for a CLI but should be checked for storage protections (encryption, scope). Autonomous invocation is allowed by default and not elevated here.
What to consider before installing
This skill appears to be a CLI for building and deploying websites, which reasonably needs a fastmode binary and to store OAuth tokens locally — but there are inconsistencies between the registry metadata (no install, no required bins) and the SKILL.md (requires 'fastmode' and suggests npm install fastmode-cli). Before installing or using it: 1) Verify the fastmode-cli package on npm (owner, downloads, source code, checksums); 2) Confirm the official website/source (SKILL.md references https://fastmode.ai but the registry lacks a homepage); 3) Prefer installing the CLI manually in a sandbox to inspect what it writes (especially ~/.fastmode/credentials.json) and whether credentials are encrypted; 4) Avoid reusing highly privileged credentials; use a dedicated account or DNS/test domain when connecting custom domains; 5) If you must proceed, review the npm package source or vendor-supplied binaries and watch for unexpected network calls or attempts to read unrelated files. These steps will reduce risk given the metadata/install inconsistencies and the sensitive persisted credentials.

Like a lobster shell, security has layers — review code before you run it.

blogvk97bkeqb6vd02rc5h43e68zmbn81q3pzcmsvk97bkeqb6vd02rc5h43e68zmbn81q3pzcontent-managementvk97bkeqb6vd02rc5h43e68zmbn81q3pzdeployvk97bkeqb6vd02rc5h43e68zmbn81q3pzdeploymentvk976m933a8ah3chbgc61hb98ph81fhagfree-hostingvk97bkeqb6vd02rc5h43e68zmbn81q3pzhostingvk97bkeqb6vd02rc5h43e68zmbn81q3pzlanding-pagevk97bkeqb6vd02rc5h43e68zmbn81q3pzlatestvk97bkeqb6vd02rc5h43e68zmbn81q3pzportfoliovk97bkeqb6vd02rc5h43e68zmbn81q3pzsslvk97bkeqb6vd02rc5h43e68zmbn81q3pzwebsitevk97bkeqb6vd02rc5h43e68zmbn81q3pzwebsite-buildervk97bkeqb6vd02rc5h43e68zmbn81q3pz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments