ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-base-cli

v1.0.0

The official Skill Base CLI client. Use the `skb` (Skill Base CLI) command to search, install, update, publish, and import-from-GitHub skills from Skill Base...

0· 67·0 current·0 all-time
by@ginuim

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for ginuim/skill-base-cli.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "skill-base-cli" (ginuim/skill-base-cli) from ClawHub.
Skill page: https://clawhub.ai/ginuim/skill-base-cli
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-base-cli

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-base-cli
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes an official CLI (skb) used to search, install, publish, and import skills, which matches the skill name and description. However, the runtime docs require Node.js >=18 and recommend npm/npx usage, yet registry metadata lists no required binaries. That mismatch is unexpected (the CLI legitimately needs Node.js).
Instruction Scope
Instructions are focused on CLI usage: search/install/update/publish, configuring SKB_BASE_URL, and the login flow. They tell the agent to run terminal commands and to read/write ~/.skill-base/config.json (local install records and stored PAT). There is no instruction to read unrelated system files or exfiltrate data, but publishing/importing will upload folder contents to the configured server — a sensitive operation the user must approve.
Install Mechanism
This is an instruction-only skill (no install spec). SKILL.md tells users to run `npm install -g skill-base-cli` or use `npx`. That's a reasonable deployment option for a Node CLI, but the lack of an install spec in the registry metadata is an omission. Also note: running `npm install -g` executes third-party code on the user's machine, which is normal for CLIs but carries usual npm risks.
!
Credentials
The README references an environment variable SKB_BASE_URL and the config path ~/.skill-base/config.json (which will store auth/PATs and install records). The registry metadata declares no required env vars or config paths — this is inconsistent. The skill will cause tokens/PATs to be created and stored locally when the user runs `skb login` and will send skill files to the configured server when publishing; these behaviors are expected for the CLI but are sensitive and should be clearly declared.
Persistence & Privilege
The skill does not request always:true and does not alter other skills. It will cause the CLI to create and update files under the user's home (~/.skill-base/) and may install skills into local or IDE directories. This is normal for a CLI but means the skill can persist data (config and tokens) on the host.
What to consider before installing
This SKILL.md looks like legitimate documentation for a CLI, but the registry metadata omits important runtime requirements. Before installing or following agent actions: (1) Confirm you have Node.js >=18 and trust the npm package source; (2) Be aware `skb login` creates and stores a PAT in ~/.skill-base/config.json — do not paste that PAT into chat; (3) Verify SKB_BASE_URL points to a trusted Skill Base server before publishing — publishing will upload your skill folder to that server; (4) Ask the publisher/maintainer to update the registry metadata to declare required binaries (Node.js), the SKB_BASE_URL env var, and the config path. If you are uncomfortable with the CLI installing packages or storing tokens, do not proceed.

Like a lobster shell, security has layers — review code before you run it.

latestvk975xw6306n9xbwse9r1dgwyy984twpg
67downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@ginuim
latest
Download

Pull and Publish Skills with skb

Assistants should complete operations by running terminal commands. Package name skill-base-cli, command skb after installation.

When to Use This Skill

  • Users request to search, install, update, or publish specific skills using the skb command.
  • Users need to configure the client connection address (skb init) or log in (skb login).
  • Users want to search, install, update, or publish Skills to a privately deployed Skill Base site.

When NOT to Use This Skill

  • Users want to deploy, start, or maintain the Skill Base server itself (use skill-base-web-deploy instead).

Environment

  • Node.js >= 18
  • Installation: npm install -g skill-base-cli, or npx skill-base-cli <subcommand>
  • Server address: Environment variable SKB_BASE_URL takes priority, otherwise reads ~/.skill-base/config.json, default is http://127.0.0.1:8000
  • Set and save: skb init --server <site root URL> (do not include /api)

Login and Authentication Rules (Important)

  • No login required: search, install, update, init and other regular read operations usually do not require login. Assistants should not proactively ask users to log in before these operations.
  • Login required: skb publish must be logged in.
  • Login flow (skb login):
    1. Execute skb login in the terminal.
    2. The console will output a login page URL containing from=cli, open the login page in a browser.
    3. After successful web login, a verification code (in the format XXXX-XXXX) will be provided.
    4. Enter the verification code in the terminal to exchange for a PAT.
  • Logout: skb logout.

Search and Install

skb search <keyword>
skb install <skill_id>              # Latest version
skb install <skill_id>@<version>    # Specific version, e.g., v20260327.161122
skb install <skill_id> -d <target_directory>

Optional: Install to an IDE's skill directory, e.g., skb install <skill_id> -i cursor; use -g for global installation (supported by some IDEs only).

Update Installed Skills

skb update <skill_id>
skb update <skill_id> -d <directory>
skb list
skb ls
  • skb install records the local install path, version, and timestamp in ~/.skill-base/config.json
  • skb list / skb ls list all locally recorded skills, then let the user choose one to update, delete local files, or clear config records
  • skb update <skill_id> first shows the available versions with changelog and uploader, then lets the user multi-select one or more recorded install directories to update together
  • skb update <skill_id> -d <directory> still works as an explicit one-off update for <directory>/<skill_id>

Publish

  • Skill name must pass /^[\w-]+$/ validation, e.g., skill-base-cli
  • Prepare content in a folder named after the skill, root directory must contain SKILL.md
  • Recommended: Use frontmatter in SKILL.md to mark name and description as the skill name and description
  • If SKILL.md frontmatter has a name field, it must match the folder name
  • If no frontmatter is used: Use the folder name as the skill name; the first paragraph of non-# text under the title is the skill description (can be overridden with --description)
  • Execute in the skill directory: skb publish; or execute from any location: skb publish <skill_folder_path>
  • Common usage: skb publish <path> --changelog "description"
  • After publishing, describe the result to the user in 2 sentences, no need to be verbose

Import from GitHub (public repos, skill-base login required)

  • skb import-github owner/repo or skb import https://github.com/owner/repo,like https://github.com/anthropics/skills/tree/main/skills/pdf
  • Same auth as publish (skb login)
  • Options: --ref, --subpath, --target <skill_id>, --changelog, --dry-run (preview JSON only)
  • Server downloads the repo archive; private repos are not supported

Troubleshooting Failures

  • First confirm SKB_BASE_URL points to the instance the user wants to use, as skill-base can be deployed internally and ports can be changed, verify the address is correct
  • If the user deployed skill-base on a server, most servers need inbound/outbound port configuration to be accessible, users need to check if the address is accessible in the browser
  • Check if it's a network issue, can use ping/telnet to confirm
  • Publish failure: First skb login; then verify SKB_BASE_URL, folder name and frontmatter name are consistent and match [\w-]+, check SKILL.md and network
  • Install failure: Use skb search to verify skill_id; when unsure of version, use skb install <skill_id> to install latest

Comments

Loading comments...