ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Scripting Utils

v1.0.0

Universal scripting utilities supporting 8+ languages (Bash, PowerShell, Python, Perl/Raku, JavaScript, Tcl), IRC bot frameworks (pbot, Limnoria), system man...

0· 8·0 current·0 all-time
by@kikikari
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
SKILL.md describes syntax validation and linting across many languages (shellcheck, pylint/mypy, perlcritic, eslint, pwsh/PSScriptAnalyzer, raku, node, tcl) and WebSearch-driven documentation fetches. The skill's registry metadata lists no required binaries or credentials — this is inconsistent because the described functionality requires many external tools (shellcheck, node, python tooling, pwsh, raku, etc.) and likely network access. The package.json also lists a relative dependency ("../json-utils") which is not a normal published dependency and appears to assume a particular repository layout.
Instruction Scope
The SKILL.md instructs the agent to validate scripts, fetch documentation from web sources (e.g., Microsoft docs, GitHub) and to perform batch validation and schema-based JSON validation. Those actions imply network access and the ability to read local files/directories (batch validation, schema files like github_api_schema.json). The instructions do not explicitly limit which local files or system state to read, nor do they document what WebSearch endpoints or rate limits are used. That gives the skill broad discretion unless the implementation imposes constraints.
!
Install Mechanism
There is no install spec (instruction-only), but the bundle contains code files and package.json. package.json sets "main": "SKILL.md" and a dependency "../json-utils" (a relative path) — this is atypical and will fail in standard package installs. The absence of an install mechanism for dependencies and native tools (e.g., shellcheck, pylint) is inconsistent with the skill's claimed runtime needs.
Credentials
The skill requests no environment variables or credentials in metadata, which is proportionate for general linting; however, its WebSearch and API-validation features imply network calls but no declared API keys or endpoints. The unexplained relative dependency on ../json-utils suggests it expects local repository layout or shared credentials/config outside the skill manifest.
Persistence & Privilege
The skill does not request always: true and uses default model-invocation settings. It does not declare config paths or persistent privileges. No indicators that it will alter other skills or system-wide settings.
What to consider before installing
This skill has useful-sounding functionality, but the bundle is internally inconsistent and may not work as-is. Before installing: (1) ask the author how external tools are provided (shellcheck, pylint, eslint, pwsh, raku, node) and whether the runtime will install or require them on PATH; (2) ask how WebSearch is implemented (which endpoints, whether it uses an API key, and where fetched data is sent/stored); (3) verify the relative dependency "../json-utils" — confirm that dependency will be available or published; (4) review the actual script source (scripts/*.py) for any hard-coded remote endpoints or credential access; and (5) prefer a skill with a proper install spec or a published dependency chain and a homepage/maintainer contact. If you must try it, run in a restricted/sandboxed environment and inspect network activity and what local files it reads/writes.

Like a lobster shell, security has layers — review code before you run it.

botsvk97arr25weynmc997fyqt1qw31853zdwircvk97arr25weynmc997fyqt1qw31853zdwlatestvk97arr25weynmc997fyqt1qw31853zdwmultilangvk97arr25weynmc997fyqt1qw31853zdwpowershellvk97arr25weynmc997fyqt1qw31853zdwrakuvk97arr25weynmc997fyqt1qw31853zdwscriptingvk97arr25weynmc997fyqt1qw31853zdwtclvk97arr25weynmc997fyqt1qw31853zdw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments