Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
apishield
v1.0.1API endpoint security auditor — scans route definitions for missing auth, rate limiting, CORS issues, and input validation holes
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the requested binaries (git, bash, python3, jq), the primary credential (APISHIELD_LICENSE_KEY) is appropriate for a license-gated product, and the brew install of lefthook aligns with the advertised pre-commit hook feature.
Instruction Scope
Runtime instructions and scripts perform local filesystem scanning via grep/find and pattern matching as claimed; they read ~/.openclaw/openclaw.json to locate a stored license key. No network transmit code (curl/wget) or telemetry was found. Note: pre-commit hooks will source the shipped scripts from the skill directory at commit time (see persistence_privilege).
Install Mechanism
Install spec only requests lefthook via Homebrew, a well-known tool used for git hooks. The skill does not download arbitrary archives or execute remote installers.
Credentials
Only APISHIELD_LICENSE_KEY is required/declared and is appropriate. The code optionally consults ~/.openclaw/openclaw.json (declared in metadata). The license module references CLAWHUB_JWT_SECRET (used only for optional signature verification) but that env var is not declared in requires.env—this is optional and not required for normal operation, but it is a referenced secret the skill may use if present.
Persistence & Privilege
always:false and model invocation is allowed (default). The 'hooks install' command modifies repository lefthook.yml and runs lefthook install so the skill attains persistence at the git-hook level: installed hooks will source scripts from the skill directory (~/.openclaw/skills/apishield) and execute scans on every commit. This behavior is expected for a pre-commit scanner but is a privileged action that means future commits will execute the skill's shell code.
Assessment
This skill appears coherent with its stated purpose, but review these points before installing: (1) The Pro/Team features require a license key (APISHIELD_LICENSE_KEY) stored in environment or ~/.openclaw/openclaw.json — keep that file secure. (2) Installing hooks will modify or create lefthook.yml in your repository and install lefthook; pre-commit hooks will source and run the skill's shell scripts from ~/.openclaw/skills/apishield on every commit — only install hooks if you trust the skill directory. (3) The license validator optionally honors CLAWHUB_JWT_SECRET for signature checks (not declared in the manifest); if you set that env var it will be used for verification. (4) The scanner runs local grep/find pattern matches only (no observed network telemetry), but you should still review the shipped scripts and test in a safe repo/CI before enabling hooks across active projects. If you need higher assurance, ask the publisher for reproducible build provenance or a signed release artifact.scripts/patterns.sh:124
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97d19mxc5155nqh8vtwrt0bp984v04m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔒 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envAPISHIELD_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook