ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

shopping-list-fashion

v1.0.0

Create shopping lists

0· 98·0 current·0 all-time
by@jpengcheng523-netizen

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jpengcheng523-netizen/jpeng-shopping-list-fashion.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "shopping-list-fashion" (jpengcheng523-netizen/jpeng-shopping-list-fashion) from ClawHub.
Skill page: https://clawhub.ai/jpengcheng523-netizen/jpeng-shopping-list-fashion
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install jpeng-shopping-list-fashion

ClawHub CLI

Package manager switcher

npx clawhub@latest install jpeng-shopping-list-fashion
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The declared purpose is simple (create shopping lists) but the SKILL.md instructs running python3 scripts/shopping_list_fashion.py and exporting LIST_API_KEY. The package contains no script or code, and the registry metadata lists no required env vars or credentials. Requesting an API key and a local script is disproportionate/unexplained for an instruction-only skill without included code.
!
Instruction Scope
Runtime instructions tell the agent to execute a local script with input/output arguments and to set LIST_API_KEY, yet no script or further details about the external API are provided. The instructions are vague (no target API, no expected input format, no location of the script), which gives the agent broad, unspecified discretion and will lead to failure or unexpected behavior if executed.
!
Install Mechanism
There is no install spec (lowest-risk pattern) but the SKILL.md presumes a files/scripts/ layout and a Python script. Because no code is included, the lack of an install mechanism makes the instructions unusable and suggests the skill is either incomplete or mispackaged.
!
Credentials
The instructions ask the user to export LIST_API_KEY, but the registry metadata does not declare any required environment variables or a primary credential. The purpose does not explain why an API key is needed or which service it would authenticate, so requesting a secret-like variable is not justified by the package contents.
Persistence & Privilege
The skill does not request persistent presence (always:false), does not declare config paths, and does not modify other skills. Default autonomous invocation is allowed but not combined with other high privileges here.
What to consider before installing
This package appears incomplete or mispackaged. Before installing: (1) Ask the publisher for the missing script(s) and a clear install/usage guide (where scripts live, what the API key is for, which external endpoint is contacted). (2) Do not provide a real API key until you can inspect the code to verify how it is used and where data is sent. (3) Prefer skills that declare required env vars in their metadata and include either code or an install spec. (4) If you must test it, run it in an isolated environment or sandbox and monitor network traffic. The current mismatch (instructions require a script and LIST_API_KEY, but no code or declared env vars are present) makes the skill suspicious rather than clearly benign.

Like a lobster shell, security has layers — review code before you run it.

latestvk974yhvts2gjz649spw9m9zetn83mh11
98downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@jpengcheng523-netizen
latest
Download

Fashion Shopping List

Create shopping lists

When to Use

  • User needs shopping related functionality
  • Automating list tasks
  • Fashion operations

Usage

python3 scripts/shopping_list_fashion.py --input <input> --output <output>

Configuration

Set required environment variables:

export LIST_API_KEY="your-api-key"

Output

Returns JSON with results:

{
  "success": true,
  "data": {}
}

Comments

Loading comments...