ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gusnais Skill

v1.0.0

Gusnais (Ruby-China/Homeland compatible) API integration with web-parity behavior and permission-consistent UX. Use when users want to connect using only CLI...

0· 134·0 current·0 all-time
by@gyuryongkim
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name, description, SKILL.md, and included scripts consistently implement a Gusnais/Homeland-compatible API client using OAuth (CLIENT_ID/CLIENT_SECRET). That capability is coherent with the stated purpose. However the registry metadata declares no required environment variables even though the SKILL.md and scripts clearly require CLIENT_ID and CLIENT_SECRET (and optionally TOKEN_STORE_PATH). This mismatch is an integrity/packaging concern.
Instruction Scope
SKILL.md confines runtime actions to OAuth flow, token validation (/api/v3/users/me), reading the two reference docs, and using the two included scripts. The scripts only perform HTTP calls to the gusnais.com site and read/write a local token store JSON. They do not attempt broader system access or unexpected network endpoints. The instructions recommend persisting tokens to disk which expands scope (local file I/O) and should be considered.
Install Mechanism
No install script or external downloads are declared (instruction-only install). The code files are bundled with the skill; there is no remote fetch or archive extraction. This is lower-risk than arbitrary remote installs.
!
Credentials
The skill requires CLIENT_ID and CLIENT_SECRET (and may use OAUTH_CODE, REDIRECT_URI, TOKEN_STORE_PATH) to function, which is proportionate to an OAuth client. But the registry metadata lists no required env vars (incoherent). The scripts persist client_secret and refresh tokens into a JSON file (TOKEN_STORE_PATH) on disk, which increases sensitive data exposure and must be intentionally approved by the user.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It writes/updates a token-store JSON file and sets file permissions to 0600 — normal for a client but it does create persistent credentials on disk which raises confidentiality considerations for the user.
What to consider before installing
This skill mostly does what it claims: an OAuth client and plugin API caller for gusnais.com. However: (1) the registry metadata incorrectly lists no required env vars while the code and SKILL.md require CLIENT_ID and CLIENT_SECRET — treat that as a packaging/integrity red flag and confirm the source before giving secrets; (2) the bootstrap and client scripts will persist client_secret, access_token, and refresh_token into a JSON file if you set TOKEN_STORE_PATH — store that file only in a safe location and prefer 0600 perms; (3) review the two included Python scripts yourself (they are bundled and will be run) or run them in a sandbox/isolated environment if you must test; (4) if you don't trust the publisher, prefer to perform the OAuth exchange manually and create a token-store yourself rather than handing CLIENT_SECRET to an unvetted skill. If the owner/publisher is unknown, ask for provenance, a canonical homepage, or a signed release before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970msc913g0bwns609kgaeb1x836ybd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments