ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LSP Python

v1.1.0

Python code quality checking and LSP integration using pylsp. Provides code diagnostics, completion, hover tips, and style analysis. Use when: checking Pytho...

0· 1.3k·6 current·6 all-time
by@genify
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (pylsp LSP + code quality) matches the included scripts and references. The code legitimately spawns a local pylsp process and calls formatters/linters (autoflake, black). One minor discrepancy: the registry metadata lists no required binaries, but the scripts call external CLIs (pylsp, autoflake, black). These binaries are documented in SKILL.md as dependencies, so this is informational rather than malicious.
Instruction Scope
Runtime instructions and scripts stay within the declared purpose: reading Python files, invoking a local pylsp server, formatting/auto-fixing via standard tools, and writing a local markdown report. There are no instructions to read unrelated system files, transmit data externally, or access secrets.
Install Mechanism
This is an instruction-only skill with no install spec; scripts run local tools via subprocess. No downloads or archive extraction occur in the provided files.
Credentials
The skill requests no environment variables or credentials. It references optional config (e.g., MYPY_CACHE_DIR) in documentation but does not require secrets or unrelated service tokens.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent settings. It writes report files and may modify project files when --auto-fix is used (autoflake/black in-place), which is expected behavior for an auto-fix feature.
Assessment
This skill appears to do what it says: run a local pylsp-based LSP client and run linters/formatters. Before installing or running: 1) Ensure you have the documented dependencies installed (python-lsp-server/pylsp, autoflake, black, etc.), because the scripts call those CLIs but the registry metadata doesn't enforce them. 2) Be aware --auto-fix will modify files in-place (the SKILL.md suggests making a backup first). Run it on a copy or enable VCS backups if you want to avoid accidental changes. 3) The tool spawns a local pylsp process and executes subprocesses — review and run in a trusted environment, especially if you run it on untrusted code. Otherwise there are no requests for credentials or network exfiltration and nothing else in the package contradicts its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gv05a3dytjdxww680tk88x823q7j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments