ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VibeTheme

v1.0.0

Generates a color palette and CSS variables based on a descriptive atmosphere

1· 83·0 current·0 all-time
byPeter Lum@liverock
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose is to generate palettes/CSS. The handler.js implementation calls an external LLM endpoint (https://openrouter.ai/api/v1/chat/completions). The SKILL.md does not mention using a third-party LLM service or needing an API key. Either the network call is intended (and should be declared), or the code is misplaced; the lack of declared credentials or explanation is disproportionate to the stated purpose.
!
Instruction Scope
SKILL.md describes local generation/formats and gives no indication that user-provided 'vibe' text will be sent to a third-party API. The runtime code does exactly that. This is scope creep: the instructions do not disclose external transmission of user input to openrouter.ai.
Install Mechanism
This is an instruction-only skill with one small handler.js file and no install spec or remote downloads. There is no install-time execution of arbitrary code from external URLs.
!
Credentials
No environment variables or credentials are declared, yet the code calls an external LLM endpoint that typically requires authentication. The skill does not request or document an API key (e.g., OPENROUTER_API_KEY) or show how authentication is provided; this is an inconsistency and could lead to implicit credential usage or failing network requests.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent privileges. It does not modify other skills or system-wide settings.
What to consider before installing
Before installing, consider the following: - The code sends the user's 'vibe' text to https://openrouter.ai; SKILL.md does not disclose this. If you care about privacy or sensitive prompts, do not install until the author clarifies and documents the external call. - Ask the author to explicitly declare any required credentials (e.g., OPENROUTER_API_KEY) and to add an Authorization header rather than relying on implicit platform credentials. - Request that SKILL.md be updated to state clearly that user input is transmitted to an external LLM and to which endpoint. - Recommend code hardening: validate/trust the model output safely (wrap JSON.parse in try/catch, validate expected keys and color formats, reject or sanitize unexpected values) to avoid runtime crashes or malformed outputs. - If you prefer no network calls, ask for an offline fallback implementation (deterministic color generation from the vibe string) or remove the external fetch entirely. - Do not install this skill on systems that may send sensitive or confidential text to third parties until the data flow and credential handling are clarified. If the maintainer confirms that use of openrouter.ai is intentional, they should: (1) declare the API key env var in the skill metadata, (2) add Authorization to the request headers, (3) update SKILL.md to disclose the external call, and (4) add robust parsing and validation of the model response.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790dp6ztggxcjz5zhzgqedf984jy9g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments