Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Gauntlet Graph Search

v1.0.0

Search the code knowledge graph by function, class, or type name using FTS5 full-text search with query-aware kind boosting

0· 45·1 current·1 all-time
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose (FTS5 search of a code knowledge graph) is consistent with the instructions to run a graph_query.py script against .gauntlet/graph.db. However, the SKILL.md expects a runtime environment (CLAUDE_PLUGIN_ROOT, python3) that the registry metadata does not declare — a minor incoherence.
Instruction Scope
Instructions are narrowly scoped to running the plugin's graph_query.py against .gauntlet/graph.db and optionally reading the matched source file. The instructions do not ask the agent to exfiltrate results to external endpoints or to read unrelated system-wide files.
Install Mechanism
There is no install spec (instruction-only), so nothing will be downloaded or written by the registry itself. Risk comes from running a local script (plugin's scripts/graph_query.py) at runtime, which is expected for this kind of plugin.
!
Credentials
SKILL.md uses the CLAUDE_PLUGIN_ROOT environment variable and invokes 'python3', but the registry lists no required env vars or binaries. This mismatch is concerning because the skill depends on an undeclared environment and an executable that may or may not be present — and the script executed could read arbitrary files under the plugin root.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify other skills or global agent configuration according to the metadata.
What to consider before installing
This skill appears to do what it says (search a local .gauntlet/graph.db) but the SKILL.md expects CLAUDE_PLUGIN_ROOT and calls python3 even though the registry lists no required env or binaries. Before installing or running it: 1) verify that CLAUDE_PLUGIN_ROOT will be set to a trusted plugin checkout; 2) inspect the file scripts/graph_query.py in that repository to confirm it only reads the graph and source files you expect; 3) ensure python3 is available in a controlled/sandboxed environment; 4) only run this if you trust the plugin source or after reviewing the script — otherwise run the search in a sandbox or request the skill author to declare required env vars and binaries explicitly.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
latestvk97cqpd7sags34xw30yj4ndx6984qn23
45downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0

Night Market Skill — ported from claude-night-market/gauntlet. For the full experience with agents, hooks, and commands, install the Claude Code plugin.

Search Code Knowledge Graph

Search .gauntlet/graph.db for code entities by name.

Steps

  1. Accept query: Get the search term from the user.

  2. Run the query script:

    python3 ${CLAUDE_PLUGIN_ROOT}/scripts/graph_query.py \
        --action search --query "<term>" --limit 20
    

    Optional filters:

    • --kind Function to search only functions
    • --kind Class to search only classes
  3. Display results: Show qualified name, file path, line numbers, and relevance score for each match.

  4. Offer to read: Ask if the user wants to read the top result's source file.

Query Intelligence

The search engine detects query patterns:

  • PascalCase (e.g., UserService): boosts Class and Type results
  • snake_case (e.g., get_users): boosts Function results
  • Dotted path (e.g., app.models.User): boosts qualified name matches

Prerequisites

The graph must be built first. If .gauntlet/graph.db does not exist, suggest running the graph-build skill.

Comments

Loading comments...