Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gqllint
v1.0.1GraphQL anti-pattern & security analyzer -- detects query depth/complexity issues, resolver N+1 problems, over/under fetching, rate limiting & auth gaps, sch...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (GraphQL anti-pattern & security analyzer) match the provided code and runtime instructions. Required binaries (git, bash, python3, jq), the license env (GQLLINT_LICENSE_KEY), lefthook install for git-hook integration, and local regex-based patterns are all consistent with a linter/scanner.
Instruction Scope
Runtime instructions and scripts only perform local file discovery and grep-based pattern matching; they read the optional license from env or ~/.openclaw/openclaw.json and can install/configure lefthook hooks. Note: the hook installer will add/append lefthook.yml in the repository and pre-push will run a full working-tree scan — this modifies project config and runs scans on local files (which may include sensitive files if present).
Install Mechanism
Install spec uses a brew formula (lefthook) — a standard package manager. There are no downloads from unknown URLs or obfuscated installers. The skill's code is included and executed locally (sourcing shell scripts), which is expected for this kind of tool.
Credentials
Primary credential GQLLINT_LICENSE_KEY is appropriate for tier gating. The license module intentionally reads ~/.openclaw/openclaw.json (declared in metadata) and may use python3/node/jq to extract the key. The code also optionally references CLAWHUB_JWT_SECRET for signature verification — this variable is not listed in metadata but is optional and only used if present.
Persistence & Privilege
always:false and normal autonomous invocation settings. The skill can install git hooks (lefthook) into a repository and will run on commit/push once installed; that repository-level change is expected for a hook-based linter but is a persistent modification to project config that users should consent to.
Assessment
This skill appears to do what it says: a local, regex-based GraphQL anti-pattern scanner with optional paid tiers enforced by a JWT license key. Before installing consider: (1) You will be asked to provide/store a license (GQLLINT_LICENSE_KEY) or the tool will look in ~/.openclaw/openclaw.json; keep the key secure. (2) The optional lefthook integration will modify or append a lefthook.yml in your repository and install pre-commit/pre-push actions that run scans on staged or full working-tree files — only install hooks if you want that behavior. (3) All scanning is local (no network calls in the provided scripts), but the tool will read repository files (so sensitive files could be scanned locally). (4) CLAWHUB_JWT_SECRET is an optional environment variable used only to verify license signatures if you set it; it is not required. If you want minimal risk, run bash "<SKILL_DIR>/scripts/dispatcher.sh" scan . manually instead of installing git hooks.scripts/patterns.sh:42
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97chdf66n0br3aqda8d0k987h84vy79
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🕸️ Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envGQLLINT_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook