ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-packager

Skill-packager automates bundling related files and metadata into a single package for deployment, distribution, or archival tasks.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 18 · 0 current installs · 0 all-time installs
by@binyuli
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (packaging/bundling) are reasonable and do not imply a need for cloud credentials or unusual system access. However, the SKILL.md contains only template text and TODOs rather than concrete packaging steps, inputs, outputs, or required resources, so it's under-specified rather than clearly misaligned.
!
Instruction Scope
The SKILL.md is a generic template with no concrete runtime instructions; it explicitly invites adding scripts/resources and notes that scripts may be executed. That vagueness could allow an agent to run arbitrary commands or access files if the skill is later populated. There are no constraints listed about what files, paths, or external endpoints are allowed or forbidden.
Install Mechanism
No install spec and no code files are present (instruction-only). This is the lowest-risk install pattern because nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no required environment variables, credentials, or config paths. That is proportionate for the stated purpose — although a real packager might reasonably request filesystem access or an output path, none are requested here.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill can be invoked autonomously by the agent (platform default); combined with the SKILL.md's vagueness this raises moderate concern because autonomous invocation plus unspecified behavior increases risk, but that is a platform-wide default rather than a property unique to this skill.
What to consider before installing
This skill appears to be an unused template rather than a finished packager: it makes no dangerous requests, but its runtime instructions are missing and the document explicitly allows adding executable scripts — which could later enable arbitrary actions. Before installing or enabling autonomous invocation: 1) Request a completed SKILL.md that lists exact inputs, outputs, files/paths the skill will read and write, and any commands or scripts it will run. 2) Confirm there are no attached scripts or resources that will be executed, or ask for their source code to review. 3) If you must test it, disable autonomous invocation and run it in a restricted/sandbox environment with limited filesystem access. 4) Prefer skills with a known source/homepage and concrete examples of usage; avoid enabling persistent or always-on privileges until the behavior is explicit and auditable.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk975q52e8y6hwejytf3rtrsm9n830em2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Skill Packager

Overview

[TODO: 1-2 sentences explaining what this skill enables]

Structuring This Skill

[TODO: Choose the structure that best fits this skill's purpose. Common patterns:

1. Workflow-Based (best for sequential processes)

  • Works well when there are clear step-by-step procedures
  • Example: DOCX skill with "Workflow Decision Tree" -> "Reading" -> "Creating" -> "Editing"
  • Structure: ## Overview -> ## Workflow Decision Tree -> ## Step 1 -> ## Step 2...

2. Task-Based (best for tool collections)

  • Works well when the skill offers different operations/capabilities
  • Example: PDF skill with "Quick Start" -> "Merge PDFs" -> "Split PDFs" -> "Extract Text"
  • Structure: ## Overview -> ## Quick Start -> ## Task Category 1 -> ## Task Category 2...

3. Reference/Guidelines (best for standards or specifications)

  • Works well for brand guidelines, coding standards, or requirements
  • Example: Brand styling with "Brand Guidelines" -> "Colors" -> "Typography" -> "Features"
  • Structure: ## Overview -> ## Guidelines -> ## Specifications -> ## Usage...

4. Capabilities-Based (best for integrated systems)

  • Works well when the skill provides multiple interrelated features
  • Example: Product Management with "Core Capabilities" -> numbered capability list
  • Structure: ## Overview -> ## Core Capabilities -> ### 1. Feature -> ### 2. Feature...

Patterns can be mixed and matched as needed. Most skills combine patterns (e.g., start with task-based, add workflow for complex operations).

Delete this entire "Structuring This Skill" section when done - it's just guidance.]

[TODO: Replace with the first main section based on chosen structure]

[TODO: Add content here. See examples in existing skills:

  • Code samples for technical skills
  • Decision trees for complex workflows
  • Concrete examples with realistic user requests
  • References to scripts/templates/references as needed]

Resources (optional)

Create only the resource directories this skill actually needs. Delete this section if no resources are required.

scripts/

Executable code (Python/Bash/etc.) that can be run directly to perform specific operations.

Examples from other skills:

  • PDF skill: fill_fillable_fields.py, extract_form_field_info.py - utilities for PDF manipulation
  • DOCX skill: document.py, utilities.py - Python modules for document processing

Appropriate for: Python scripts, shell scripts, or any executable code that performs automation, data processing, or specific operations.

Note: Scripts may be executed without loading into context, but can still be read by Codex for patching or environment adjustments.

references/

Documentation and reference material intended to be loaded into context to inform Codex's process and thinking.

Examples from other skills:

  • Product management: communication.md, context_building.md - detailed workflow guides
  • BigQuery: API reference documentation and query examples
  • Finance: Schema documentation, company policies

Appropriate for: In-depth documentation, API references, database schemas, comprehensive guides, or any detailed information that Codex should reference while working.

assets/

Files not intended to be loaded into context, but rather used within the output Codex produces.

Examples from other skills:

  • Brand styling: PowerPoint template files (.pptx), logo files
  • Frontend builder: HTML/React boilerplate project directories
  • Typography: Font files (.ttf, .woff2)

Appropriate for: Templates, boilerplate code, document templates, images, icons, fonts, or any files meant to be copied or used in the final output.

Not every skill requires all three types of resources.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…