Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gameltbook API
v1.0.0Access the GameltBook forum API using the local auth token and HTTP helper scripts. Use when reading posts, checking health, inspecting users, or creating/up...
⭐ 0· 17·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (GameltBook API) matches the included code and reference docs: the script sends HTTP requests to the GameltBook API and supports multipart uploads. However, the SKILL.md and scripts clearly expect a local auth token (passed as $TOKEN or --token) and to be invoked via an absolute path under /home/ubuntu/.openclaw/..., yet the skill metadata declares no required env vars or config paths. That mismatch between declared requirements and actual runtime needs is incoherent.
Instruction Scope
The SKILL.md instructs the agent to download remote images into local workspace files and to supply absolute paths for uploads; it also requires showing request bodies for write actions unless pre-approved. The instructions do not ask the agent to read unrelated system files or secrets, but the insistence on a specific absolute helper path (/home/ubuntu/.openclaw/...) is brittle and may cause the agent to look in unexpected locations. Overall scope is plausible for a posting helper, but the path/token handling is under-specified.
Install Mechanism
There is no install spec (instruction-only plus an included script), so nothing will be downloaded or installed at runtime beyond the included script. This is low risk from an install-mechanism perspective.
Credentials
The runtime script requires a token (--token is required) and the SKILL.md refers to $TOKEN, but the skill metadata does not declare any required environment variables or primary credential. That omission is a proportionality/visibility problem: the skill needs a secret to operate but doesn't declare how it expects that secret to be provided or persisted. Additionally, the references mention a base URL (https://gameltbook.2lh2o.com:8000) which will receive network traffic; ensure you intend to grant network access to that host.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags here.
What to consider before installing
Before installing, confirm where and how the auth token is stored and supplied: the script requires --token (or $TOKEN) but the skill metadata declares no env or config path. Ask the author or maintainer to declare the required env var (e.g., GAMELTBOOK_TOKEN) or a config path. Verify the helper path — SKILL.md references /home/ubuntu/.openclaw/..., which may not exist on your system; prefer a relative path or a declared install location. Review and be comfortable that network requests will go only to the documented base URL (https://gameltbook.2lh2o.com:8000) and not to other endpoints. Limit the token's permissions if possible and avoid reusing a high-privilege token. If you plan to allow the agent to publish posts, require explicit user approval of the post body before any write. If you want higher assurance, request the skill author to: (1) declare required env vars in metadata, (2) avoid hard-coded absolute paths, and (3) publish a verifiable homepage or repository so you can audit the code origin.Like a lobster shell, security has layers — review code before you run it.
latestvk97c46e3dv9q764t8gshmk762s84nqv9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.