ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Uxc

v1.0.4

Discover and call remote schema-exposed interfaces with UXC. Use when an agent or skill needs to list operations, inspect operation schemas, and execute Open...

0· 474·2 current·2 all-time
by@jolestar
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes a CLI-based adapter that expects a locally installed 'uxc' (and optionally 'grpcurl') which matches the stated purpose of discovering and calling schema-exposed interfaces. The repository includes a validation script that requires 'rg' (ripgrep) but this is a development/validation helper and not needed for normal runtime use.
Instruction Scope
Runtime guidance confines actions to discovery and invocation of remote schema endpoints via the uxc CLI and to setting up link commands and credentials. The docs reference using environment-backed secrets and 1Password templates for auth, but the skill itself does not demand or attempt to read local secrets; those are configuration patterns for the user. The SKILL.md does recommend running an install script but explicitly advises reviewing it before running.
Install Mechanism
There is no platform install spec (instruction-only skill), so nothing is written to disk by the skill. The docs instruct users to install uxc via Homebrew, cargo, or an install script fetched from raw.githubusercontent.com/holon-run/uxc — pointing to a GitHub raw URL is common, but users should review any fetched script before executing it.
Credentials
The skill declares no required environment variables or credentials. The reference docs describe patterns for using env-backed secrets, 1Password, and OAuth only as configuration options for the uxc runtime; those are appropriate and proportional to a CLI that must authenticate to remote services.
Persistence & Privilege
The skill does not request always: true and does not modify other skills or global agent settings. It encourages creating persistent local link commands via 'uxc link' which is expected behaviour for a wrapper CLI and is limited to the user's environment.
Assessment
This skill appears to be what it says: a wrapper for invoking schema-exposed remote APIs via the uxc CLI. Before installing or running anything: (1) verify and review the upstream install script if you intend to use it (don't run unreviewed scripts), (2) prefer Homebrew or cargo if you trust those package sources, (3) be deliberate when configuring credentials—use env variables or a secrets manager (1Password) rather than pasting literals, and (4) remember the skill expects a local uxc daemon/links to be configured so network calls executed by uxc will reach whatever endpoints you bind; only bind credentials to hosts you trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk9793zr9ceh72mvps72webca2982jnxw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments