Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
cryptolint
v1.0.1Cryptography misuse & weak algorithm detector -- detects deprecated algorithms, hardcoded keys/IVs, ECB mode, weak random number generation, timing-vulnerabl...
⭐ 0· 51·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The code, SKILL.md, and files implement a local cryptography linter with git-hook integration (lefthook). Required binaries (git, bash, python3, jq) and the brew lefthook install are coherent with the stated purpose. However, the runtime code reads ~/.openclaw/openclaw.json for a stored license key while the registry 'Required config paths' lists none — this mismatch should be corrected or explained.
Instruction Scope
Runtime instructions and scripts operate locally: discover files, run grep-based regex patterns, compute scores, and optionally install git hooks. The dispatcher and analyzer source only local files and do not contact external endpoints. They do modify repository configuration (append or create lefthook.yml) when installing hooks — this is expected for git-hook integration but is a repository-modifying action the user should be aware of.
Install Mechanism
Install uses a Homebrew formula (lefthook) which is a standard package manager path and low risk. There are no URL-based downloads or archive extraction in the skill's install spec.
Credentials
Primary credential CRYPTOLINT_LICENSE_KEY is appropriate for a paid tier. However, license.sh looks for and reads ~/.openclaw/openclaw.json (not declared in registry metadata), and may use an undeclared env var CLAWHUB_JWT_SECRET for optional JWT signature verification. The skill will try multiple local tools (python3/node/jq/openssl) to parse that config and validate tokens. These extra reads/variables should have been declared in registry metadata.
Persistence & Privilege
The skill is not always:true and does not request system-wide persistent privileges. It can install git hooks which modify a repo's lefthook.yml (user-invoked action). It does not modify other skills or global agent settings beyond reading the OpenClaw config and optionally writing/altering repo lefthook.yml during hook installation.
What to consider before installing
What to check before installing:
- This skill is local-only and implements a sensible cryptography linter, but it will look for a stored license in ~/.openclaw/openclaw.json and will accept CRYPTOLINT_LICENSE_KEY via env var. The registry metadata did not list that config path — confirm you are comfortable with the skill reading that file before installing.
- The license module optionally uses CLAWHUB_JWT_SECRET (not declared) to verify JWT signatures; only set that env var if you understand its purpose.
- Installing hooks will create/append a lefthook.yml in your repository and run lefthook install — test in a disposable repo first if you don’t want immediate repo changes.
- If you will provide a license key, prefer setting it per-session rather than storing it permanently, or inspect ~/.openclaw/openclaw.json to confirm where keys will be saved.
- Overall the code appears coherent with its stated purpose, but the undeclared config/env usage and repo-modifying hook install are reasons to review the files and configuration choices before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97597vyydfc32fyth83qff18s84vmqf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔐 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envCRYPTOLINT_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook