ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Xpert Xchange

v1.0.0

Connect with experts across domains to exchange skills, share knowledge, collaborate on projects, and build your professional network efficiently.

0· 26·0 current·0 all-time
by@skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise a platform for connecting experts, marketplaces, collaboration spaces, and verified directories. The included code implements a simple local CRUD-style Python class that reads/writes JSON files in the current directory, with no networking, no API endpoints, no authentication, and no verification logic. The required capabilities (e.g., connecting users across networks, marketplace flows, verification) are not implemented, which is an incoherence between advertised purpose and actual capability.
Instruction Scope
SKILL.md contains high-level user-facing usage guidance and does not instruct the agent to read sensitive system files or environment variables. However, it also does not mention that the implementation will read/write local files (xperts.json, xchanges.json, collaborations.json, knowledge_resources.json). That file I/O is limited to the skill's own data files (no arbitrary path access), but the omission is a documentation mismatch worth noting.
Install Mechanism
No install specification is provided and the skill is instruction/code-only. No external downloads, package installs, or extract operations are declared, which keeps install risk low.
Credentials
The skill declares no required environment variables or credentials, and the code does not access environment secrets. The scope of requested environment access is proportionate (i.e., none).
Persistence & Privilege
The skill is not force-enabled (always: false) and does not request elevated system privileges. It will create and update JSON files in the working directory (its own data persistence) but does not modify other skills or system-wide configs.
What to consider before installing
This skill appears to be a local proof-of-concept rather than an actual networked expert-exchange platform. Before installing or running it: 1) Expect it to create/read/update files named xperts.json, xchanges.json, collaborations.json, and knowledge_resources.json in the agent's working directory; run it in a sandbox or isolated folder. 2) If you expected networked features (APIs, user accounts, verification, marketplace), ask the author for clarification or source that implements those parts — they are not present. 3) Review or run the Python file in a safe environment to confirm there are no hidden network calls or additional behavior. 4) Because the documentation and implementation disagree, proceed cautiously; this looks more like an unfinished/local tool than a fully featured collaboration platform.

Like a lobster shell, security has layers — review code before you run it.

latestvk977b6t6zdazcfmd5nsc541rsn84vrqz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments