Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
bundlephobia
v1.0.1Bundle size & dependency bloat analyzer — scans JS/TS projects for oversized dependencies, duplicate packages, tree-shaking failures, and bundle configuratio...
⭐ 0· 45·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name, description, CLI commands, and included scripts all align: the code performs local pattern-based scanning of JS/TS projects, produces reports, and optionally installs pre-commit hooks via lefthook. Declared requirements (git, bash, python3, jq) and primaryEnv (BUNDLEPHOBIA_LICENSE_KEY) match the documented free/pro/team feature split.
Instruction Scope
SKILL.md and scripts instruct the agent to discover files in the project tree, run grep-based pattern checks, and (for Pro) install lefthook-based pre-commit hooks. The scripts read the user's repo files and the OpenClaw config (~/.openclaw/openclaw.json) to find a license key—this is expected behavior for a local scanner and for offline license lookup.
Install Mechanism
Install spec is a single brew formula (lefthook) to support hooks installation. No arbitrary downloads, URL fetches, or extract/install-from-personal-servers are present in the provided files.
Credentials
Primary credential BUNDLEPHOBIA_LICENSE_KEY is appropriate for pro/team features. Minor concerns: license validation optionally looks for an env var named CLAWHUB_JWT_SECRET (used to verify JWT HMAC) which is not declared in metadata—this is likely a shared-secret mechanism but it's not documented. The scripts also attempt to use node as a fallback to parse JSON if available (node is not listed as a required binary), which is harmless but worth noting.
Persistence & Privilege
Skill does not request always:true and does not persist across agents. Installing 'hooks install' writes/edits lefthook.yml in the repository and runs lefthook install to create git hooks — expected for a pre-commit hook feature but it does modify repo-level configuration (and will run on every commit until removed).
Assessment
This skill appears to do what it claims: local grep-based bundle analysis and optional pre-commit hook installation. Before installing: 1) Confirm you are comfortable with lefthook being installed and lefthook.yml being created/modified in your repository (hooks will run on every commit and can block commits). 2) Provide a BUNDLEPHOBIA_LICENSE_KEY only if you trust the vendor; the license is validated locally. 3) Note the script may optionally use an env var named CLAWHUB_JWT_SECRET to verify JWT signatures (not documented in SKILL.md); if you maintain such a secret, be aware the skill will check it if present. 4) Review scripts yourself (they are small, shell-based, and offline) if you need higher assurance. If you want to avoid repo changes, use the free 'bundlephobia scan' command which runs a one-shot local scan without installing hooks.scripts/patterns.sh:210
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971zp1xyag8csfebae31cs4jx84ve61
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📦 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envBUNDLEPHOBIA_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook