Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Speedtest
v1.0.1Test internet connection speed using Ookla's Speedtest CLI. Measure download/upload speeds, latency, and packet loss. Format results for social sharing on Moltbook/Twitter. Track speed history over time. Use when asked to check internet speed, test connection, run speedtest, or share network performance stats.
⭐ 0· 2.5k·4 current·5 all-time
by@spsneo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: both scripts run the Ookla Speedtest CLI, format results, save history, and optionally publish to social endpoints. Requiring the speedtest CLI (documented in SKILL.md) is coherent with the purpose.
Instruction Scope
Runtime instructions and the included scripts are narrowly scoped to running speedtests, formatting results, saving a JSONL history, and optionally posting to social sites. However, the social script will attempt network operations (curl POST to https://www.moltbook.com/api/v1/posts and invoking the bird CLI for Twitter). It also reads/writes files in the user's home directory (history at ~/.openclaw/data/speedtest-history.jsonl and Moltbook credentials at ~/.config/moltbook/credentials.json). Those behaviors are expected for 'social sharing' but should be highlighted because they involve reading a credentials file and transmitting data to external endpoints.
Install Mechanism
There is no install spec (instruction-only skill + included scripts). SKILL.md gives standard install instructions for the official Ookla packages (brew / packagecloud) which are reasonable and expected.
Credentials
Metadata declares no required credentials or environment variables, but the social script looks for ~/.config/moltbook/credentials.json and extracts an api_key to POST to Moltbook. It also expects the 'bird' CLI for Twitter posting (which will use whatever credentials bird has configured). The skill thus accesses user-stored credentials/config without declaring this in requires.env — a mismatch that users should be aware of.
Persistence & Privilege
The skill does not request permanent system presence (always:false) and only writes its own history file under ~/.openclaw/data. It does not modify other skills or system-wide settings. Note: the agent can invoke the skill autonomously by default (platform default) — combined with the credential-access behavior above, that increases the blast radius if the skill is invoked without user oversight.
What to consider before installing
This skill appears to be a legitimate speedtest + social-posting helper, but pay attention to the following before installing:
- The social script will look for and read ~/.config/moltbook/credentials.json and will attempt to POST formatted results to https://www.moltbook.com via curl; it will also call the 'bird' CLI to tweet. Those behaviors are expected for sharing, but the metadata does not declare any required credentials — review and approve this explicitly.
- Inspect ~/.config/moltbook/credentials.json to confirm it only contains the expected API key and is stored securely; if you don't use Moltbook or don't want automatic posting, remove or protect that file.
- If you don't want any network posting, edit or remove the posting section of scripts/speedtest-social.sh (the Moltbook POST and bird tweet blocks) before using.
- The scripts create/write ~/.openclaw/data/speedtest-history.jsonl; if that concerns you, change the path or audit the file contents periodically.
- Install the Ookla Speedtest CLI only from the official sources mentioned in SKILL.md (brew / packagecloud) to avoid supply-chain risks, and review any third-party endpoints (moltbook.com) for trustworthiness.
If you want this skill but want tighter control, either (a) run the scripts locally and verify behavior before enabling the skill for autonomous use, (b) remove or comment out the posting sections, or (c) ensure Moltbook/Twitter credentials are absent so posts cannot be made.Like a lobster shell, security has layers — review code before you run it.
latestvk97etf75yrxqf4fcr2vrrx5jyn80d3rb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.