ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PluginEval

v2.0.0

PluginEval Quality Evaluation with enhanced UI. Wraps plugineval-core with vetting and reporting features. Requires plugineval-core.

0· 94·0 current·0 all-time
by@donmeusi
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (PluginEval wrapper around plugineval-core) match the instructions which call evaluation and vetting scripts. However the skill declares a required dependency (plugineval-core) but provides no bundled implementation — it delegates behavior to external scripts and a separate skill. Also _meta.json reports v1.3.0 while SKILL.md and registry metadata reference v2.0.0, an inconsistency that should be clarified.
!
Instruction Scope
The runtime instructions tell users/agents to run scripts located under ~/.openclaw (e.g., ~/.openclaw/skills/plugineval/scripts/vet.sh) or to clone and copy scripts from the GitHub repo into their PATH. Those instructions implicitly require writing and executing arbitrary shell scripts from an external repo and reading from the user's home workspace. That expands scope beyond an instruction-only wrapper and could lead to executing unreviewed code unless the scripts are inspected first.
!
Install Mechanism
There is no formal install spec. Instead the docs instruct cloning a GitHub repo and copying scripts to PATH or relying on a separate Nova workspace setup. Relying on an out-of-band repository to obtain executable scripts is higher risk than a self-contained, pinned install; executing those scripts without review could run arbitrary code.
Credentials
The skill does not request any environment variables, credentials, or config paths in the registry metadata. That is proportionate to a local evaluation utility. Note: instructions implicitly access files under ~/.openclaw and require presence of local tools (Python, Ollama) but do not ask for secrets.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent system-wide privileges in metadata. However its instructions encourage copying scripts into PATH (a persistent change) and depending on external workspace tooling, so installation may create persistent executables outside the skill bundle.
What to consider before installing
This skill is an instruction-only wrapper that delegates to external scripts and a separate plugineval-core. Before installing or running it: 1) Clarify the version mismatch (_meta.json v1.3.0 vs SKILL.md/registry v2.0.0). 2) Do not blindly run or copy scripts from the linked GitHub repo — inspect the vet.sh, clawdefender.sh, and other scripts for unexpected network calls, credential access, or privileged operations. 3) Prefer a pinned release or commit rather than cloning main; avoid running as root. 4) If you will allow automated agents to invoke this skill, understand they may execute the external scripts under ~/.openclaw and could change PATH. 5) Verify that plugineval-core (the required dependency) is present and from a trusted source, or request that the skill bundle its runtime or provide an explicit, auditable install specification. If you want to proceed confidently, ask the publisher to (a) fix the version metadata, (b) include or pin the evaluation scripts in the skill bundle, or (c) provide a vetted install script and signed release.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ck2fpzaxx9bem1py9ecrch84fcxcqualityvk977ck2fpzaxx9bem1py9ecrch84fcxcsecurityvk977ck2fpzaxx9bem1py9ecrch84fcxcskillsvk977ck2fpzaxx9bem1py9ecrch84fcxcvettingvk977ck2fpzaxx9bem1py9ecrch84fcxc
94downloads
0stars
5versions
Updated 1w ago
v2.0.0
MIT-0
@donmeusi
latestqualitysecurityskillsvetting
Download

PluginEval 2.0.0 🔬

Enhanced quality evaluation with vetting workflow. This skill wraps plugineval-core and adds:

  • Combined security + quality checks
  • Vetting workflow
  • Report generation

Use When

  • Evaluating skills before installation
  • Combined security + quality vetting
  • Publishing with quality badges

Dependencies

Required: plugineval-core

clawhub install plugineval-core

Input / Output

Input: Skill name or path

Output: Combined security + quality report

Quick Start

# Vetting workflow (Security + Quality)
~/.openclaw/skills/plugineval/scripts/vet.sh weather-pollen

# Or use core directly
python3 ~/.openclaw/skills/plugineval-core/scripts/eval.py --layer1 <skill>

Examples

Vetting a Skill

vet-skill weather-pollen

# Output:
# ════════════════════════════════════════════════════
# Skill Vetting: weather-pollen
# ════════════════════════════════════════════════════
#
# [1/3] Security Scan (ClawDefender)
# ─────────────────────────────────────────
#   ✓ Clean
#
# [2/3] Quality Evaluation (PluginEval)
# ─────────────────────────────────────────
#   Final: 81 | Badge: Gold ★★★★
#
# [3/3] Anti-Pattern Detection
# ─────────────────────────────────────────
#   ✓ No anti-patterns

References

  • EXTERNAL.md - External dependencies documentation
  • plugineval-core - Core evaluation engine

Changelog

v2.0.0 (2026-04-08)

  • Now wraps plugineval-core (separate skill)
  • Added dependency management
  • Simplified structure
  • Platinum badge quality

v1.3.0 (2026-04-08)

  • Version sync fix
  • Added source link
  • Added EXTERNAL.md documentation

v1.2.0 (2026-03-31)

  • Added Layer 3: Auto-Fix
  • Added vet-skill.sh

v1.0.0 (2026-03-31)

  • Initial release

Requires: plugineval-core | Version: 2.0.0

Comments

Loading comments...