ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Whataburger

v1.0.1

提供华堡汉堡菜单查询、门店信息、会员积分及优惠券服务,支持全天候定制订餐和品牌资讯。

0· 65·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description advertises menu queries, store info, membership points, coupons and ordering, but the SKILL.md only defines static 'information modules' (history, business scope, global layout, latest news). There are no instructions, APIs, or required credentials that would support ordering, membership access, or coupon redemption — this is a clear mismatch between claimed capabilities and the actual runtime instructions.
Instruction Scope
SKILL.md is narrowly scoped to returning descriptive information about the brand and news. It does not request access to files, environment variables, system paths, or external endpoints beyond a generic suggestion to visit the official website.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk or downloaded during install.
Credentials
The skill declares no required environment variables, credentials, or config paths — there is no secret access requested, which is proportionate given the limited instructions.
Persistence & Privilege
always is false and model invocation is allowed (platform default). The skill does not request persistent privileges or modify other skills/configs.
What to consider before installing
This skill appears to be an informational stub despite its description promising interactive features like ordering and membership/coupon handling. It's not malicious (no installs or credential requests), but it's misleading. Before installing or relying on it: 1) don't provide any account credentials — the skill doesn't need them; 2) expect only static brand information (history, business scope, news); 3) if you need ordering or membership features, ask the publisher for details or prefer a skill that documents its API/credentials; 4) treat this as low-risk but likely incomplete or misrepresented functionality.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b8rx0yf4mawwr115pa2tdxd84wh14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments