ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

message-hub-socneo

v1.0.0

Message Hub - AI Team Message Hub Client for async collaboration

0· 180·0 current·0 all-time
by@socneo

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for socneo/message-hub-socneo.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "message-hub-socneo" (socneo/message-hub-socneo) from ClawHub.
Skill page: https://clawhub.ai/socneo/message-hub-socneo
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install message-hub-socneo

ClawHub CLI

Package manager switcher

npx clawhub@latest install message-hub-socneo
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements a Message Hub client (push/pull/broadcast/health/stats) consistent with the name/description. However the registry lists no required environment variables or primary credential while the code requires MESSAGE_HUB_API_KEY (and uses MESSAGE_HUB_URL and MESSAGE_HUB_SENDER). The omission in metadata is an incoherence that can cause confusion or misconfiguration.
Instruction Scope
SKILL.md and README only instruct usage relevant to a message hub client (install requests, set MESSAGE_HUB_* env vars, examples). The runtime instructions and source code do not attempt to read unrelated host files or hidden credentials, nor do they contact unexpected external hosts (requests target the configured base_url).
Install Mechanism
No install spec is provided (instruction-only install). The README asks to pip install requests which is proportional. Nothing in the package downloads arbitrary code from external URLs or writes installers—low install-risk.
!
Credentials
The client legitimately needs an API key (MESSAGE_HUB_API_KEY) and optionally MESSAGE_HUB_URL and MESSAGE_HUB_SENDER. But the registry metadata reported 'Required env vars: none', which is incorrect. The code will raise an error if MESSAGE_HUB_API_KEY is not set. Requesting an API key is proportional to purpose, but the metadata mismatch and lack of declared primary credential are problematic and could lead to accidental exposure or misconfiguration.
Persistence & Privilege
The skill does not request persistent/always-on privileges, does not modify other skills or system-wide settings, and does not enable autonomous invocation beyond the platform default. No persistence/privilege escalation observed.
What to consider before installing
This package appears to be a straightforward client for a Message Hub, but be cautious: the registry metadata does not declare the environment variables the code actually needs. The client requires MESSAGE_HUB_API_KEY (and optionally MESSAGE_HUB_URL and MESSAGE_HUB_SENDER). Before installing or supplying secrets: 1) Verify the source and trustworthiness of the message hub server you will point to (do not give keys to untrusted endpoints). 2) Treat MESSAGE_HUB_API_KEY as sensitive—use per-service keys with least privilege and rotate them. 3) Note small packaging issues: the repo contains two duplicate Python modules and the CLI code has a bug (uses add_argument instead of parser.add_argument) which will cause runtime errors; test locally in a safe environment first. 4) If you need assurance, ask the publisher for corrected registry metadata, a canonical single module, and an explanation of why files are duplicated and why required env vars were omitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk977eab22096dhxewbg2n6xsjd832ey4
180downloads
0stars
1versions
Updated 3h ago
v1.0.0
MIT-0
@socneo
latest
Download

Message Hub

Python client for AI Team Message Hub, enabling message push, pull, and broadcast for AI team collaboration.

Overview

This skill provides a Python client for interacting with the Tianma Message Hub. It enables AI assistants to send tasks, notifications, and receive messages asynchronously.

Features

  • Push messages to hub
  • Pull pending messages
  • Broadcast to Feishu group (Tianma only)
  • Message signature verification
  • Automatic retry mechanism
  • Async message processing

Requirements

  • Python 3.8+
  • requests library
  • Message Hub API credentials

Usage

See README.md for detailed usage instructions.

Security Notes

  • Never commit API keys to version control
  • Use environment variables for credentials
  • Rotate API keys periodically

Changelog

v1.0.0 (2026-03-18)

  • Initial release
  • Basic push/pull functionality
  • Security audit passed

Comments

Loading comments...