Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Joomla 5
v1.0.0Joomla 5 site management via REST API, SFTP, and direct database access. Use when working with a Joomla 5 site to: manage articles, categories, menus, and mo...
⭐ 0· 11·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The declared purpose (manage Joomla via REST, SFTP, DB endpoint) aligns with the actions in SKILL.md (API calls, SFTP file edits, DB queries). However the registry metadata declares no required environment variables or credentials even though the instructions rely on multiple sensitive credentials (API token, SSH key, Falang token, endpoint URLs). That mismatch is unexpected and should have been declared.
Instruction Scope
Runtime instructions explicitly read and write configuration.php, change file modes, run arbitrary SELECT SQL via a custom endpoint, perform regex patches on configuration.php, and instruct how to add new actions to the sppb5.php endpoint. Those operations allow reading secrets (DB credentials in configuration.php), exfiltrating data, and deploying new server-side behavior — all beyond a simple content-management helper and needing strong access controls and auditing.
Install Mechanism
This is instruction-only with no install spec or downloaded code, so there is no installer risk from the skill package itself.
Credentials
SKILL.md expects many sensitive env vars (e.g., JOOMLA_API_TOKEN, GANDI_SSH_KEY, GANDI_SFTP_HOST, GANDI_SFTP_USER, SPPB_URL, FALANG_SECRET_TOKEN, FALANG_INJECT_URL, JMAP_EXT_ID). The registry metadata lists none — an incoherence. The required secrets are high-privilege and should be declared, scoped, and justified explicitly.
Persistence & Privilege
The skill is not always:true and uses default autonomous invocation settings (normal). Autonomous invocation combined with the skill's ability to read/modify sensitive files and the server endpoint increases blast radius; consider restricting invocation or requiring explicit user approval before any SFTP/DB actions.
What to consider before installing
This skill contains powerful admin actions (SFTP edits of configuration.php, arbitrary SELECT and patch operations via a custom sppb5.php endpoint, and guidance to modify that endpoint). Before installing: 1) Treat it as high-privilege — do NOT provide full production SSH private keys or master API tokens unless you intend full admin automation. 2) Ask the publisher to declare required env vars and justify each (e.g., JOOMLA_API_TOKEN, GANDI_SSH_KEY, FALANG_SECRET_TOKEN). 3) Prefer scoped, least-privilege credentials (SFTP account limited to a known path; API token with limited scopes). 4) Audit the sppb5.php code on the server: restrict/select_query and patch_config actions, require server-side auth checks, and log all changes. 5) Use a staging site first and backup configuration.php and the database. 6) Because owner/homepage are unknown, exercise extra caution — consider using only manual, user-invoked runs (disable autonomous invocation for this skill) or decline until the author provides provenance and declares env requirements.Like a lobster shell, security has layers — review code before you run it.
latestvk97ebvbpkmztf3zh8v32vvncws8533bk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.