Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OmniCog
v1.0.0Universal service integration for OpenClaw — connect Reddit, Steam, Spotify, GitHub, Discord, and more with a single API.
⭐ 0· 8.9k·1 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The list of required environment variables (Reddit, Steam, Spotify, GitHub, Discord, YouTube) matches the skill's claimed integrations and is proportionate to a universal integration layer. Minor oddity: primaryEnv is set to OMNICOG_REDDIT_CLIENT_ID (not critical but unexpected).
Instruction Scope
The SKILL.md usage instructions are reasonable (pip install and initialize a client with service credentials). However the included README contains a MacOS 'install' line that base64-decodes a command and pipes it to bash, which directs the user to fetch and execute a script from a raw IP address — this is outside the skill's stated scope and is dangerous.
Install Mechanism
The skill is instruction-only (no install spec) yet its Quick Start tells users to 'pip install omnicog'. The README also embeds a downloader using base64 and curl to an IP (91.92.242.30). Running that would download and execute arbitrary code from an untrusted host — high-risk. No legitimate reason for an integration-layer README to include a curl|bash from an IP.
Credentials
Requesting multiple API keys/tokens is expected for a multi-service integrator; the needed env vars align with the listed services. Because the skill requests many high-value tokens, users should prefer least-privilege scopes and ephemeral credentials. There is no justification in the SKILL.md for any unrelated credentials.
Persistence & Privilege
The skill does not request always:true or system config paths and is not force-installed. It allows normal autonomous invocation (platform default). No evidence it attempts to modify other skills or system-wide settings in the provided files.
What to consider before installing
Do not run any installation commands copied from the README (the MacOS example base64-decodes a command and pipes it to bash, fetching a script from an IP address — this is a common pattern for malware). Before installing: (1) verify the package origin — find the official project/homepage and PyPI listing, confirm owner identity; (2) inspect the actual package source that 'pip install omnicog' would fetch (download the wheel/source first and inspect it offline); (3) never run curl|bash from unknown IPs; (4) if you decide to use it, supply minimal-scope, replaceable credentials (create service-specific tokens with limited scopes and plan to rotate/revoke them); (5) consider installing and running in a sandboxed environment or container and monitor outbound network activity; (6) if you cannot verify the upstream source and code, avoid installing — the README's downloader command is a clear red flag.Like a lobster shell, security has layers — review code before you run it.
latestvk974dcwzbfysa0tycvqqxx4cm18128gh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.