ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Galileo TypeScript sdk

vv1.2.1

Complete reference for the Galileo AI platform TypeScript/JS SDK for evaluating, observing, and protecting GenAI applications. Use when building Node.js or T...

0· 47·0 current·0 all-time
byGyanesh Malhotra@gyanesh-m
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the skill documents using a 'galileo' npm SDK to instrument LLM calls, run experiments, and send telemetry to a Galileo console. However, the skill metadata lists no required environment variables or credentials while the SKILL.md explicitly requires GALILEO_API_KEY (and offers GALILEO_USERNAME/GALILEO_PASSWORD as alternatives). This mismatch is an incoherence in the manifest.
Instruction Scope
Instructions focus on logging/tracing LLM calls and running evaluations (consistent with the stated purpose). They instruct configuring an OTLP exporter and sending traces and experiment data to a Galileo endpoint (e.g., https://app.galileo.ai/api/otel/v1/traces). This is expected for an observability SDK, but it means user data (LLM inputs/outputs, datasets) may be transmitted to an external service — the SKILL.md does not limit or warn about sensitive data being sent.
Install Mechanism
This is an instruction-only skill (no install spec in the manifest). The SKILL.md recommends installing the 'galileo' npm package via npm/yarn/pnpm, which is the expected, low-risk install path for a TypeScript SDK. Nothing in the skill attempts to download arbitrary archives or run unknown installers.
!
Credentials
The SKILL.md requires GALILEO_API_KEY and optionally GALILEO_USERNAME/GALILEO_PASSWORD and GALILEO_CONSOLE_URL. Those env vars are proportionate to an SDK that authenticates to a telemetry/evaluation service — but the manifest declares no required env vars, which is inconsistent. The presence of username/password as an alternative is notable (more sensitive) and should be justified; ensure you only provide scoped API keys and not long-lived account credentials unless necessary.
Persistence & Privilege
The skill is not always-enabled, user-invocable, and does not request elevated platform privileges. It does not modify other skills or system-wide settings according to the provided files.
What to consider before installing
This skill's documentation is consistent with an observability/evaluation SDK that sends traces and experiment data to a Galileo endpoint and requires an API key. Before installing or using it: 1) Verify the npm package name and the GitHub repo (https://github.com/rungalileo/galileo-js) and ensure they are the official vendor; check maintainer identity and recent activity. 2) Prefer using a scoped, least-privilege GALILEO_API_KEY rather than account username/password; avoid placing secrets in code or public repos. 3) Be aware that LLM inputs, outputs, datasets, and telemetry (which may include PII) will be sent to the configured Galileo endpoint — review privacy/security policies and consider filtering/redacting sensitive data before logging. 4) Confirm the GALILEO_CONSOLE_URL is correct (don’t point to an unknown third-party endpoint). 5) Ask the publisher to correct the skill metadata to declare required env vars so the manifest accurately reflects the runtime requirements. If you need higher assurance, audit the actual npm package source and any network endpoints it contacts before granting credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9733gykdg75mv0q72dbrqs1cn84r5fa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments