ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LoomLens Live

v1.0.0

Opens LoomLens Live sidebar to estimate real-time costs, recommend best models in 6 clusters, and dispatch prompts with one click using Signal Loom API.

0· 45·0 current·0 all-time
by@avale-slai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (sidebar that estimates costs, recommends models, dispatches prompts) match the provided artifacts: sidebar HTML, a local JS estimation engine (zero-deps), cluster definitions, and a plugin file that implements the before_model_resolve hook. There are no unrelated binaries or env vars declared. The included files plausibly implement the advertised features.
Instruction Scope
SKILL.md stays on-topic (open sidebar, estimate, optionally run estimates against Signal Loom using a user-supplied API key). It instructs the user to copy the skill into ~/.openclaw/workspace/hooks/loomlens-live/ which gives the skill a workspace hook that will run at runtime (expected for a plugin but important to note). The instructions reference external workspace docs (REV_SHARE_ANALYSIS.md) and an external signup link; neither is required for local preview but could guide the user to external sites. No instructions are present that ask the agent to read unrelated system files or environment variables.
Install Mechanism
This is instruction-only (no automatic install spec). All source/build artifacts are included in the package; there are no remote downloads, package registry installs, or extract-from-URL steps. The build script is local and non-networking. Installation is manual copy or openclaw skills install, which is expected for a third-party sidebar.
Credentials
The skill declares no required env vars and no primary credential, but SKILL.md expects users to provide a Signal Loom API key via the UI for 'Run Estimate' billing. That is proportional to the described functionality (per-call billing). However the metadata not declaring the API key means it won't be visible in permission prompts ahead-of-time. Also the SKILL.md shows a suspicious signup URL ("signallloomai.com/signup.html") which may be a typo or a wrong domain; the plugin source should be checked for the real API endpoint to confirm where keys are sent.
Persistence & Privilege
Installation into ~/.openclaw/workspace/hooks/loomlens-live/ registers a workspace hook and the plugin implements before_model_resolve, meaning it can run on prompt/model resolution and override model selection. This persistence is consistent with the skill's purpose (model dispatch) but elevates its runtime influence; users should be aware the plugin will run for prompts in that workspace. always:false and default autonomous invocation are unchanged.
What to consider before installing
This package appears to implement a local cost-estimator + sidebar plugin that can optionally call Signal Loom when you provide an API key. Before installing: 1) Verify the author/source — the registry metadata shows no homepage and the owner is unknown. 2) Inspect loomlens-openclaw-plugin.ts (the plugin) to confirm the exact API endpoints and that the Signal Loom key is only used for the claimed billing calls; ensure requests go to an official, expected domain (watch for typos like the SKILL.md 'signallloomai.com'). 3) Remember the install step copies files into ~/.openclaw/workspace/hooks — this gives the skill a persistent hook (before_model_resolve) that will run on prompts; only install if you trust the code. 4) If you plan to provide an API key, prefer entering it into the UI only after confirming the plugin's endpoint and privacy policy; do not paste secrets into unknown external services. 5) If you cannot verify the source, consider running the sidebar locally in a sandboxed environment or asking the maintainer for an official homepage and source repository before proceeding.

Like a lobster shell, security has layers — review code before you run it.

cost-intelligencevk972g6qer9vqp56yw0axdpypn584eykhlatestvk972g6qer9vqp56yw0axdpypn584eykhllmvk972g6qer9vqp56yw0axdpypn584eykhopenclawvk972g6qer9vqp56yw0axdpypn584eykhroutingvk972g6qer9vqp56yw0axdpypn584eykh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments