ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pharmacies

v0.1.0

Find nearby pharmacies. Invoke when user asks for drugstores near me.

0· 122·0 current·0 all-time
by@mikeclaw007
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with requirements: no binaries, no credentials, and an instruction-only skill are reasonable for a simple POI lookup. However, the SKILL.md does not declare a data provider or API, and it references a local STANDARD_RESPONSE.md via a file:///Users/... path that will not exist in a typical runtime — this is an implementation inconsistency.
!
Instruction Scope
Instructions require location input and describe parameters and error codes, but do not specify which data source, endpoint, or API to use. The SKILL.md instructs referencing STANDARD_RESPONSE.md via an absolute local file URI (file:///Users/mac_lkm/...), which is outside the skill bundle and may be missing at runtime. The lack of a specified provider makes the agent's behavior under-specified and could lead it to query arbitrary third-party services (potentially transmitting user location).
Install Mechanism
No install spec and no code files — lowest risk from installation. Nothing will be written to disk by an installer.
Credentials
The skill requests no environment variables or credentials, which is reasonable for an instruction-only lookup. But because no provider is specified, a runtime implementation might require API keys or other secrets that are not declared here — the lack of declared credentials combined with unspecified endpoints is a gap.
Persistence & Privilege
Skill is not always-enabled and is user-invocable. It does not request persistent presence or elevated platform privileges.
What to consider before installing
This skill appears to do what it says, but the runtime instructions are incomplete and reference a local file path that won't exist in most environments. Before installing or enabling it, ask the author to: (1) include or embed the referenced STANDARD_RESPONSE.md (or replace the file:// reference with the actual schema), (2) specify the data provider(s)/endpoints the skill will use and list any required API keys or env vars, (3) restrict queries to approved endpoints and require explicit user consent before transmitting precise coordinates, and (4) document how location fuzzing is implemented. If you can't get those clarifications, treat the skill as untrusted because it may call arbitrary external services or fail to function as intended.

Like a lobster shell, security has layers — review code before you run it.

latestvk97993syjd9hjtafs4svs1hje5836s7q

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments