ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TOSR Publish Then Update Test

v0.2.0

Automated test skill validating creation, inspection, update, and deletion of skills via the clawhub REST API lifecycle.

0· 70·0 current·0 all-time
byyuangui@yinwuzhe

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yinwuzhe/tosr-test-pub-update-1776925224.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "TOSR Publish Then Update Test" (yinwuzhe/tosr-test-pub-update-1776925224) from ClawHub.
Skill page: https://clawhub.ai/yinwuzhe/tosr-test-pub-update-1776925224
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install tosr-test-pub-update-1776925224

ClawHub CLI

Package manager switcher

npx clawhub@latest install tosr-test-pub-update-1776925224
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose is an integration test that creates, updates, inspects, and deletes skills via the clawhub REST API — that capability is coherent with the name/description. However, exercising the clawhub API typically requires a base URL and authentication; the skill declares no required environment variables, no primary credential, and gives only relative endpoints (e.g. POST /api/v1/skills) with no host or auth instructions. The lack of declared credentials or target host is inconsistent with the stated capability.
!
Instruction Scope
SKILL.md explicitly directs the agent to perform destructive operations (publish, update, delete) against the 'real clawhub API' but provides no host, auth, headers, rate-limit/safety checks, or rollback/confirmation steps. That leaves broad discretion to the agent and risks unintended mutations on a production registry if run. The file also claims ephemeral cleanup but gives no mechanism or guarantees.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes installation risk — nothing is downloaded or written to disk by the skill itself.
!
Credentials
No environment variables or credentials are declared despite the skill needing to call protected API endpoints to create/update/delete skills. That mismatch is suspicious: the skill either assumes implicit platform-provided credentials (not documented) or omits required sensitive inputs, both of which are problematic.
Persistence & Privilege
The skill does not request permanent presence (always:false) and is user-invocable. Autonomous invocation (model-invocation allowed) is the platform default; by itself this is not a new privilege. Still, autonomous execution combined with the destructive API calls described above increases risk if the skill were run without review.
What to consider before installing
This skill will attempt to create, update, inspect, and delete skills via the clawhub REST API but does not specify which host or how to authenticate. Before installing or running it: (1) Do not run this against a production clawhub instance. (2) Ask the author to provide the base URL and explicit authentication requirements (what env vars or token are needed) and to declare them in requires.env. (3) Prefer running the test in an isolated/staging environment you control and verify cleanup behavior. (4) If you can't get clear auth/host instructions, decline installation — the skill could perform destructive actions unintentionally. (5) Consider disabling autonomous invocation until you confirm safe defaults and credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ambjjm77nyxjk49nvbts7x85d46h
70downloads
0stars
2versions
Updated 5d ago
v0.2.0
MIT-0
yuangui@yinwuzhe
latest
Download

TOSR Publish Then Update Test

TOSR Publish Then Update Test — version 0.2.0

Description

This is an automated integration test skill (tosr-test-pub-update-1776925224) created by the TOSR project. The purpose is to verify the complete skill lifecycle through the clawhub REST API, including creation, version updates, and deletion.

Test Identifier

  • Slug: tosr-test-pub-update-1776925224
  • Version: 0.2.0
  • Created: 2026-04-23T14:20:44+08:00

How It Works

This skill validates the following operations against the real clawhub API:

  1. Publish — Creates a new skill via POST /api/v1/skills with multipart form data
  2. Inspect — Retrieves skill metadata via GET /api/v1/skills/{slug}
  3. Update — Publishes a new version of an existing skill
  4. Delete — Removes the skill via DELETE /api/v1/skills/{slug}

Notes

This skill is ephemeral and will be automatically deleted after the test completes. If you see this skill listed on clawhub, it means a test run failed to clean up properly.

Comments

Loading comments...