ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

js-hanoi-air

v1.0.0

High-performance Node.js implementation for monitoring Vietnamese Air Quality Indexes. Features advanced error resilience, localized city mapping, and multi-...

0· 17·0 current·0 all-time
bybuihieu@guchigangz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code and instructions: a Node.js script that queries the WAQI API for Vietnamese cities and returns AQI and simple health interpretation. No unrelated binaries, services, or capabilities are requested.
Instruction Scope
SKILL.md limits runtime behavior to running the included Node script and outbound access to api.waqi.info. The instructions do not ask the agent to read unrelated files or send data to other endpoints. Note: the package explicitly embeds full source, so runtime behavior is visible and limited to network calls to WAQI.
Install Mechanism
There is no install spec; this is instruction-plus-source only. Nothing is downloaded or written by an installer, which lowers install-time risk.
!
Credentials
The code contains a hard-coded WAQI_TOKEN string (506d32... ) but the skill metadata declares no required environment variables or primary credential. Embedding a credential in source and failing to declare it is disproportionate and a secret-management red flag: it could be a leaked/stale personal token or a deliberate attempt to hide a credential. The script has network egress to api.waqi.info (expected) and does not contact other endpoints.
Persistence & Privilege
Skill is user-invocable, not always-enabled, and does not request elevated or persistent system privileges or modify other skills. It only executes a single one-off Node.js process.
What to consider before installing
This skill's behavior (query WAQI and print results) matches its description, but it includes a hard-coded WAQI API token in the code while declaring no credentials — that mismatch is suspicious. Before installing: (1) Treat the embedded token as potentially sensitive: verify its origin (is it a public demo token?) and rotate or remove it if it belongs to your organization. (2) Prefer a version that accepts the token via a documented environment variable (e.g., WAQI_TOKEN) rather than hard-coding. (3) Confirm the GitHub homepage and repository integrity (commit history, owner) and check WAQI API terms and rate limits. (4) If you cannot verify the token's provenance or the repo owner, avoid installing or run the code in an isolated environment with restricted network access. (5) If you proceed, consider replacing the hard-coded token with a user-controlled credential and monitor outbound requests to api.waqi.info.

Like a lobster shell, security has layers — review code before you run it.

latestvk97brx2fac7mrr18fab4n9kf4s84kjsj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments