ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Super Powers AI

v1.0.4

Install and run the published SuperPowers desktop streamer npm package. Use when a user needs a portable ClawHub skill that installs the third-party npm pack...

0· 109·1 current·1 all-time
by@rohanarun

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for rohanarun/super-powers.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Super Powers AI" (rohanarun/super-powers) from ClawHub.
Skill page: https://clawhub.ai/rohanarun/super-powers
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install super-powers

ClawHub CLI

Package manager switcher

npx clawhub@latest install super-powers
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match the implementation: the helper installs the npm package superpowers-ai into .superpowers/npm and runs its CLI. It does not request unrelated environment variables or attempt global installs. The pin to a single package name and the claimed provenance are consistent with the code.
Instruction Scope
SKILL.md and the helper script stay within the stated scope (install, login, start/stop, whoami, logout). The main risk is inherent: the helper installs and then executes an unreviewed third‑party package (no source edits). The instructions do not read unrelated files or request unexpected env vars, but the runtime package may prompt for email/phone verification and will talk to its backend.
Install Mechanism
There is no separate install spec; the runtime script executes npm install --prefix into the skill's state directory. That is an expected, low-friction approach, but installing a package from the public npm registry at runtime means arbitrary code from that package will run. The script retries with a temp npm cache if needed — nothing unusual but it performs network downloads.
Credentials
The skill declares no required environment variables or credentials, which matches the files. However the script uses the user's current npm configuration and environment when invoking npm/node (process.env is forwarded). If the user has registry auth tokens or sensitive npm config (~/.npmrc or env vars) those could influence the install or be used during runtime. The package itself will ask for login credentials (email/phone) — that is expected, but those credentials go to the package's backend, not the skill.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and confines files to its own .superpowers state directory. It uses normal local permissions and does not perform system‑wide changes.
Assessment
This skill is internally coherent, but before running it be aware it will download and execute the third‑party npm package superpowers-ai (you are not given its source as part of the skill). That package may contact its own backend, ask for email/phone verification, and require screen/capture permissions on macOS. Recommended precautions: - Inspect the package and maintainer on npm (publisher: superpowersai, maintainer email listed in SKILL.md). Check the package homepage/repo and recent releases. - If you keep registry auth tokens or sensitive settings in your npm config (~/.npmrc or env vars), either remove them or run the helper in a disposable environment (VM/container) so tokens cannot be used by the install or package. - If you want to audit code before running, download the package (npm pack or view its repo) and review the bin/entrypoint referenced by the helper (bin/supers.js) before running it. - For maximum safety, run the workflow in an isolated machine or sandbox, and avoid handing production credentials or personal phone/email you don't want tied to a third‑party service. If you trust the superpowersai publisher and are comfortable with these supply‑chain risks, the skill behaves as described.
scripts/install_and_run.js:84
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
State dirs.superpowers
CLI help (from plugin)
node scripts/install_and_run.js --help
node scripts/install_and_run.js
node scripts/install_and_run.js --start
node scripts/install_and_run.js --stop
latestvk97fm01s3w9rdbqc6svnj791c184d9sk
109downloads
0stars
5versions
Updated 3w ago
v1.0.4
MIT-0
@rohanarun
latest
Download

Config example

config = {

};

SuperPowers Streamer CLI

Use this skill when the user only needs the published npm package workflow.

Assume:

  • no source-code access
  • no repo edits
  • the package can be installed in any normal npm environment

Important Behavior

This skill's helper script does not build local source code.

It will:

  • install the published third-party npm package superpowers-ai into the skill's local .superpowers/npm directory
  • execute the locally installed CLI from that isolated state directory
  • do that using the user's current npm config and normal local permissions

It does not perform a global npm install.

Use this skill only when that package-install-and-run behavior is what the user wants.

Package Provenance

The helper is designed around this published package:

  • npm package: superpowers-ai
  • npm page: https://www.npmjs.com/package/superpowers-ai
  • expected npm publisher: superpowersai
  • expected maintainer email: rohan@getsupers.com

When explaining this skill, be explicit that it installs and executes that published npm package on the user's machine.

The helper is intentionally pinned to that one package. It does not accept an alternate npm package name.

Main Flow

  1. Confirm node and npm exist.
  2. Install superpowers-ai into .superpowers/npm.
  3. Run the login or create-account flow.
  4. Let the package auto-start the streamer after verification.
  5. If needed, start it again manually and open the printed /general control link.

Fastest Path

Run:

node scripts/install_and_run.js

That script:

  • installs the published third-party npm package superpowers-ai into .superpowers/npm
  • retries with a temp npm cache if the normal install fails
  • runs the locally installed CLI from the skill state directory
  • runs the package's login flow by default

Other Modes

Install only:

node scripts/install_and_run.js --install-only

Start only:

node scripts/install_and_run.js --start

Stop the local streamer:

node scripts/install_and_run.js --stop

Show the saved account:

node scripts/install_and_run.js --whoami

Log out:

node scripts/install_and_run.js --logout

Customer Commands

Through this skill helper, the main commands are:

node scripts/install_and_run.js
node scripts/install_and_run.js --start
node scripts/install_and_run.js --stop
node scripts/install_and_run.js --whoami
node scripts/install_and_run.js --logout

macOS Notes

On macOS, the user may need to allow:

  • Screen Recording
  • Accessibility

If macOS prompts for permissions, approve them and rerun:

node scripts/install_and_run.js --start

Troubleshooting

Read references/install.md for install and usage wording. Read references/troubleshooting.md for common npm, login, and streaming failures.

Comments

Loading comments...