ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Helm Chart Linter

v1.0.0

Lint and validate Helm charts for structure, security, dependencies, and best practices. Use when asked to lint, validate, check, or audit Helm charts, verif...

0· 70·0 current·0 all-time
by@charlie-morrison

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for charlie-morrison/helm-chart-linter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Helm Chart Linter" (charlie-morrison/helm-chart-linter) from ClawHub.
Skill page: https://clawhub.ai/charlie-morrison/helm-chart-linter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install helm-chart-linter

ClawHub CLI

Package manager switcher

npx clawhub@latest install helm-chart-linter
Security Scan
Capability signals
Requires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Helm chart linting) matches the provided SKILL.md and the included Python script which implements a YAML parser and sets up linting rules for charts. No extraneous capabilities are declared (no env vars, no required binaries, no install).
Instruction Scope
SKILL.md instructs the agent to run the included Python script against a specified chart directory (python3 scripts/helm_chart_linter.py <command> <chart-dir>). That scope is appropriate for linting and the visible code shows parsers and rule checks. However the script file was truncated in the bundle you provided, so I cannot verify there are no instructions or code paths that read unrelated files, access home directories, or transmit data.
Install Mechanism
No install spec is present (instruction-only + bundled script). This minimizes install-time risk — nothing is being downloaded or extracted at install time.
Credentials
The skill declares no required environment variables, credentials, or config paths, and SKILL.md doesn't request any. That is proportional for a local linter which should only need access to the chart directory.
Persistence & Privilege
always is false, user-invocable is true, and the skill does not request persistent system presence or to modify other skills. Autonomy is enabled by default for skills, which is expected here.
What to consider before installing
The skill appears coherent: it bundles a Python linter and SKILL.md that tell the agent to run the script on a chart directory, and it requests no external credentials or install steps. However the main script was truncated in the bundle you provided, so you should: 1) Inspect the entire scripts/helm_chart_linter.py before installing — search for network usage (urllib, http, socket, requests, subprocess with curl/ssh), code that reads outside the specified chart-dir (e.g., expands ~, reads /etc, ~/.ssh), or code that writes to unexpected locations. 2) Run the script in an isolated environment (container or VM) on sample charts first. 3) If you need higher assurance, ask the publisher for a full code review or for a provenance link (homepage or repository) and verify the binary/script hash. 4) Note STATUS.md mentions a price ($59) — confirm licensing and distribution expectations before use. If the rest of the script contains no outbound/network calls or reads of unrelated files, this skill is likely benign; discovery of network/exfiltration calls or requests for credentials would raise the assessment to malicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ctv0f7w2qpwg5xgkzvepdn184rgba
70downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@charlie-morrison
latest
Download

Helm Chart Linter

A pure Python 3 (stdlib only) linter and validator for Helm chart directories. Checks structure, security, dependencies, and best practices across 22 rules.

Commands

python3 scripts/helm_chart_linter.py <command> <chart-dir> [options]
CommandDescription
lintLint chart structure and best practices (all rules)
securityRun security-focused checks only
dependenciesValidate Chart.yaml/Chart.lock dependencies
validateFull validation: structure + security + dependencies

Options

OptionDescription
--format text|json|markdownOutput format (default: text)
--strictExit 1 on warnings as well as errors (CI mode)

Examples

# Basic lint
python3 scripts/helm_chart_linter.py lint ./my-chart

# Full validation with JSON output
python3 scripts/helm_chart_linter.py validate ./my-chart --format json

# Security audit, strict mode for CI
python3 scripts/helm_chart_linter.py security ./my-chart --strict

# Dependency check with Markdown report
python3 scripts/helm_chart_linter.py dependencies ./my-chart --format markdown

Rules

Structure (6 rules)

  1. CHART001 — Chart.yaml exists and has required fields (apiVersion, name, version, description)
  2. CHART002 — Version is valid semver
  3. CHART003 — values.yaml exists
  4. CHART004 — templates/ directory exists
  5. CHART005 — NOTES.txt exists in templates/ (warning)
  6. CHART006 — .helmignore exists (warning)

Security (6 rules)

  1. SEC001 — No hardcoded secrets in values.yaml (passwords, tokens, keys)
  2. SEC002 — No privileged containers (securityContext.privileged: true)
  3. SEC003 — No hostNetwork, hostPID, or hostIPC enabled
  4. SEC004 — Resource limits defined in templates
  5. SEC005 — No runAsRoot without explicit runAsNonRoot
  6. SEC006 — Image tags not "latest"

Dependencies (4 rules)

  1. DEP001 — Chart.lock present and matches Chart.yaml dependencies
  2. DEP002 — No wildcard version constraints
  3. DEP003 — Repository URLs use HTTPS
  4. DEP004 — No duplicate dependency names

Best Practices (6 rules)

  1. BP001 — Labels include app.kubernetes.io/name, version, managed-by
  2. BP002 — Liveness and readiness probes defined
  3. BP003 — Service account name configured
  4. BP004 — Namespace not hardcoded in templates
  5. BP005 — No deprecated API versions (extensions/v1beta1, apps/v1beta1, etc.)
  6. BP006 — Values documented with comments

Exit Codes

CodeMeaning
0No issues (or only warnings in normal mode)
1Errors found (or warnings found in --strict)
2Script/usage error

Comments

Loading comments...