ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenSpace Skill Discovery

v1.0.0

Search for reusable skills across OpenSpace's local registry and cloud community. Reusing proven skills saves tokens, improves reliability, and extends your...

0· 20·0 current·0 all-time
by@x-rayluan

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for x-rayluan/openspace-skill-discovery.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "OpenSpace Skill Discovery" (x-rayluan/openspace-skill-discovery) from ClawHub.
Skill page: https://clawhub.ai/x-rayluan/openspace-skill-discovery
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install x-rayluan/openspace-skill-discovery

ClawHub CLI

Package manager switcher

npx clawhub@latest install openspace-skill-discovery
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (discover skills locally and in the cloud) aligns with the instructions which show a search_skills API and reading SKILL.md files locally. However, the SKILL.md explicitly discusses cloud access and auto-importing cloud hits but the skill metadata declares no credentials or config paths to enable cloud access; this is plausible if the platform provides built-in credentials, but the skill does not explain that assumption.
!
Instruction Scope
Instructions are mostly scoped to discovery and reading SKILL.md files, which is appropriate. But they also permit auto_import ("Auto-download top cloud hits locally") and reference an API key fallback path ("falls back to local-only if no API key"). Those steps imply network downloads and writing files to disk and assume an API key exists somewhere; neither the download targets nor the storage paths or verification/approval steps are specified.
Install Mechanism
This is instruction-only (no install spec, no code files), which is low risk on its own. But the instructions allow auto-downloading cloud skills into local storage even though no install or verification mechanism is documented. That gap raises a moderate concern: the skill could cause the agent to write unvetted code to disk if auto_import is used.
!
Credentials
Requires.env lists none, yet the SKILL.md refers to an API key (cloud vs local behavior). This mismatch is notable: either the skill expects platform-level credentials (not declared) or it omitted declaring required credentials. If cloud access requires keys, the skill should declare them; otherwise the behavior is ambiguous.
Persistence & Privilege
The skill does not request always:true and declares no config-paths or persistent privileges. It does instruct reading local SKILL.md files and may cause local files to be written if auto_import is used, but it does not demand system-wide privileges or to modify other skills' configurations.
What to consider before installing
This skill is plausible for discovering and reusing skills, but its instructions mention cloud access and automatic downloading without declaring required credentials or describing how downloads are vetted. Before installing or using auto_import: (1) confirm where the 'API key' lives (platform-provided or must be supplied) and why the skill didn't declare it; (2) disable or require manual approval for auto_import so you can review any cloud skill before it is saved locally; (3) ask what paths are used for saved skills and whether downloaded SKILL.md and code are integrity-checked or sandboxed. Because this is instruction-only, there was no code to scan — extra caution around network downloads and local writes is recommended.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e2ghb1pfdj9vpmag781wqxh85efnw
20downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@x-rayluan
latest
Download

Skill Discovery

Discover and browse skills from OpenSpace's local and cloud skill library.

When to use

  • User asks "what skills are available?" or "is there a skill for X?"
  • You encounter an unfamiliar task — a proven skill can save significant tokens over trial-and-error
  • You need to decide: handle a task yourself, or delegate to OpenSpace

search_skills

search_skills(query="automated deployment with rollback", source="all")
ParameterRequiredDefaultDescription
queryyesNatural language or keywords
sourceno"all"Local + cloud; falls back to local-only if no API key
limitno20Max results
auto_importnotrueAuto-download top cloud hits locally

After search

Results are returned to you (not executed). Cloud hits with auto_imported: true include a local_path.

Found a matching skill?
├── YES, and I can follow it myself
│     → read SKILL.md at local_path, follow the instructions
├── YES, but I lack the capability
│     → delegate via execute_task (see delegate-task skill)
└── NO match
      → handle it yourself, or delegate via execute_task

Notes

  • This is for discovery — you see results and decide. For direct execution, use execute_task from the delegate-task skill.
  • Cloud skills have been evolved through real use — more reliable than skills written from scratch.
  • Always tell the user what you found (or didn't find) and what you recommend.

Comments

Loading comments...