ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenMerge

v1.0.0

A simple description say hello

0· 71·0 current·0 all-time
by@ajaylakhani

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ajaylakhani/open-merge.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenMerge" (ajaylakhani/open-merge) from ClawHub.
Skill page: https://clawhub.ai/ajaylakhani/open-merge
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install open-merge

ClawHub CLI

Package manager switcher

npx clawhub@latest install open-merge
Security Scan
Capability signals
CryptoRequires walletRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description promise a trivial 'say hello / merge' capability, yet the SKILL.md documents a persistent workspace with profile.json, preferences.json, .keypair, and other artifacts. Creating and managing keys/profile data is disproportionate for a skill whose runtime action is only to echo a greeting.
!
Instruction Scope
Runtime instructions explicitly reference a user home path (~/.openclaw/workspace/merge/) and list files including a device private key and profile data. The only explicit runtime action described (use the echo tool to say a greeting) does not justify creating or storing those files. The onInstall hook instructs creating that directory — this is file-system write behavior beyond the stated purpose.
Install Mechanism
Instruction-only skill with no install spec and no code files. That minimizes install-time code risk because nothing is downloaded or extracted.
!
Credentials
No environment variables or credentials are declared, yet the skill references storing a device keypair and profile/preference files (and mentions encrypted upload of preferences.json to a broker). Requesting persistent keys or upload behavior without declaring required credentials or explaining the broker is disproportionate and ambiguous.
!
Persistence & Privilege
The skill asks to create a persistent workspace in the user's home and store potentially sensitive files (.keypair, profile.json). While it does not request 'always: true' or broader system changes, persistent storage of keys and profile data is a meaningful privilege that should be explicitly justified and consented to.
What to consider before installing
This skill's stated behavior (say a single greeting) does not explain why it would create a workspace with profile files and a device keypair or why preferences would be uploaded to a broker. Before installing: 1) Ask the publisher to explain why keys/profile data are needed and to show the exact onInstall steps (what files will be created, how the keypair is generated, and where any data is uploaded). 2) Refuse or sandbox installation until you understand file writes to ~/.openclaw/workspace/merge and confirm no secrets are transmitted. 3) If you proceed, inspect the created files and permissions, and verify that the private key never leaves your device (and that any uploads are to an explicitly named, trusted endpoint). 4) Prefer installing only after the skill provides a clearer, minimal runtime (or code) demonstrating the need for persistent storage; otherwise treat it as suspicious.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e0qecdcsf4b948yrjaqjk1n85amfv
71downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
@ajaylakhani
latest
Download

Merge Skill

When the user asks to merge, use the echo tool to say "Hello from merge"

Workspace files

~/.openclaw/workspace/merge/
  profile.json      never transmitted to broker
  preferences.json  encrypted before broker upload
  signal.json       local record of current signal state
  matches.json      log of Discord introductions
  card.txt          introduction card posted to Discord on match
  .anonymous_id     anonymous broker UUID
  .keypair          device key pair — private key never transmitted

Lifecycle hooks

onInstall

Create workspace directory. Confirm once:

"Merge is installed. Say 'set up Merge' when you're ready."

Comments

Loading comments...