ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hash-verifier

v1.0.0

Verify data integrity with hashes

0· 71·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to verify hashes, which is plausible, but the SKILL.md instructs running `python3 scripts/hash_verifier.py` and setting HASH_API_KEY even though the published package contains no code files, no scripts/ path, and the registry metadata lists no required env vars. The declared capabilities do not align with what the instructions request.
!
Instruction Scope
Runtime instructions tell the agent to execute a local script and to export an API key. Because the script is not present, the instructions are incomplete/misleading. The instructions also introduce an external secret (HASH_API_KEY) and provide no explanation of what service it authenticates to or why network access would be needed.
Install Mechanism
There is no install spec and no code files (instruction-only). This reduces installation risk because nothing is being downloaded or written by the registry, but it also means the instructions refer to missing artifacts.
!
Credentials
SKILL.md asks the user to set HASH_API_KEY, yet the skill metadata lists no required env vars and provides no justification for this credential. Requesting an unspecified API key for a local hash verifier is disproportionate and ambiguous.
Persistence & Privilege
The skill is not set to always:true and uses default invocation settings. It does not request persistent system privileges or modify other skills; no elevated persistence is indicated.
What to consider before installing
Do not install or run this skill as-is. The SKILL.md refers to a local script (scripts/hash_verifier.py) and an API key (HASH_API_KEY) that are missing from the package and from the declared requirements. Ask the publisher for: (1) the actual script source code bundled with the skill or a trustworthy homepage/repository link; (2) a clear explanation of what HASH_API_KEY is for and which external service (if any) the skill talks to; and (3) a minimal example that runs without supplying unexplained secrets. If you must test, do so in an isolated sandbox and never supply real secrets (API keys, production credentials) until you can verify the code and the network endpoints it contacts. If the publisher cannot provide the missing files and justification, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ashm44f7mcdy2bkybx7n9qn83ncrc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments