ClawHub

Skillscanner

v1.0.1

Security scanner for ClawHub skills from Gen Digital. Looks up skill safety via the scan API.

10· 2.8k·10 current·10 all-time
by@rexshang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name and description say it looks up ClawHub skill safety via a scan API, and the SKILL.md instructs exactly that (POST to https://ai.gendigital.com/api/scan/lookup with the ClawHub URL). No unrelated credentials, binaries, or installs are requested. Note: source/homepage are missing, but that does not make the functionality incoherent.
Instruction Scope
Runtime instructions are narrow: perform a single HTTP POST with the skill URL and interpret status and severity fields. The instructions do not ask the agent to read files, env vars, or other local data. The only data transmitted is the skill URL (which may include author/slug).
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk or installed by the skill.
Credentials
No environment variables, credentials, or config paths are requested. The skill does not attempt to access unrelated secrets. One caveat: the SKILL.md provides no auth flow; if the API required credentials this skill does not handle them.
Persistence & Privilege
always is false and the skill does not request persistent privileges or modify other skill/system settings. Autonomous invocation is allowed (platform default) but not excessive for this utility.
Assessment
This skill is internally consistent: it sends a ClawHub skill URL to ai.gendigital.com and uses the returned status/severity. Before installing, confirm you trust the external service (ai.gendigital.com) because the skill will transmit each scanned skill URL there. Check whether the API requires authentication (the skill provides no auth flow) and prefer scanning in a sandbox or using manual review for high‑risk skills. Because the package has no homepage or source link, prefer caution — verify the operator (Gen Digital) independently if you will rely on these scan results.

Like a lobster shell, security has layers — review code before you run it.

latestvk9704zyq9z09n9y2xwtcmg7m9n80p6wg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments