Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
eventlint
v1.0.1Event & message queue anti-pattern analyzer -- detects producer/consumer issues, schema problems, dead letter queue gaps, ordering failures, and observabilit...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
The skill name/description (event architecture linting) aligns with required binaries (git, bash, python3, jq), the license key, lefthook install, and the provided pattern-based scanning scripts. Required items (lefthook for git hooks, python3/jq for JSON parsing) are proportionate to the declared features.
Instruction Scope
Runtime instructions and scripts operate locally: file discovery, grep-based regex matching, scoring, and report generation. They do read a local config (~/.openclaw/openclaw.json) to find a license key if env var is not set, and the optional 'hooks install' flow modifies the repository's lefthook.yml and runs lefthook install (which changes repo config). This behavior is expected but worth noting before installing hooks.
Install Mechanism
Install spec only requests installing the well-known 'lefthook' brew formula. No downloads from arbitrary URLs or archive extraction are present. The skill's code is delivered as shell scripts (no remote installers) so installation risk is low.
Credentials
The single primary credential EVENTLINT_LICENSE_KEY is justified by tiered license checks. The license module also looks in ~/.openclaw/openclaw.json (declared in SKILL.md) as a fallback and optionally uses CLAWHUB_JWT_SECRET for signature verification — the latter is optional and not required for normal use. No unrelated secrets or broad cloud credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistent privileges. The only persistent side-effect is optional modification of a project's lefthook.yml when the user runs the hooks installation command, which is consistent with the stated git-hook integration.
Assessment
This skill appears to do what it says: local regex-based scanning for event-driven anti-patterns and optional integration with git hooks. Before installing or enabling hooks: (1) review the lefthook.yml it will add or append to your repo (hooks install modifies repository files), (2) only provide EVENTLINT_LICENSE_KEY if you trust the publisher (the key is used locally or read from ~/.openclaw/openclaw.json), and (3) confirm you want lefthook installed via brew. If you only want one-off scans, run the dispatcher.sh/scan.sh commands directly without installing hooks. Also be aware regex-based linters can produce false positives; review pattern definitions in scripts/patterns.sh if concerned about noisy results.scripts/patterns.sh:114
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk970q33221gmnzjyd14vr5f03h84t4yq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📨 Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envEVENTLINT_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook