ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

threat-intelligence

v1.0.0

Get threat intelligence

0· 82·0 current·0 all-time
by@jpengcheng523-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (threat intelligence) is plausible, but the skill offers no code or install steps to implement it. The SKILL.md tells the agent to run python3 scripts/threat_intelligence.py, yet no script or code files are included in the bundle.
!
Instruction Scope
Runtime instructions require running a local script and exporting INTEL_API_KEY, but the agent package contains neither the script nor a clear API target. The instructions also lack input/output formats or destinations, giving broad, unsupported runtime expectations.
!
Install Mechanism
There is no install spec (instruction-only), which can be fine — except the instructions assume a local Python script exists. Without an install step or bundled code, the skill as distributed cannot perform the described actions.
!
Credentials
SKILL.md asks users to set INTEL_API_KEY, but the skill's declared requirements list no required env vars and no primary credential. Requesting an API key is reasonable for this purpose, but the env var is not declared in metadata and there's no information about where the key would be sent or how it is used.
Persistence & Privilege
The skill does not request always:true and has no special OS or install privileges. It does not request any config paths or other skills' settings.
What to consider before installing
Do not install or provide secrets to this skill yet. Ask the publisher for the missing pieces: the scripts/threat_intelligence.py source, a clear install or runtime environment description, and an explanation of where INTEL_API_KEY is used and which external service it contacts. Verify the skill's source/homepage and review the code before giving any API keys. If the publisher cannot provide code or a reputable source, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk9783k1g5ny7jcc3wpmx8tb4ss83nggq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments