ClawHub

Microservices Starter

v1.0.0

Set up and deploy production-ready microservices with API gateway, service templates, service mesh support, distributed tracing, and container orchestration.

0· 417·5 current·5 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description claim full microservices scaffolding (API gateway, service templates, Istio, Helm charts, tracing). However, the package contains no code, templates, manifests, or installation artifacts. You would reasonably expect service templates, K8s manifests, Helm charts, and the referenced shell scripts to be included; their absence is incoherent with the stated purpose.
!
Instruction Scope
SKILL.md instructs running shell scripts (./create-service.sh, ./create-gateway.sh, ./deploy.sh production, ./monitor.sh install) that are not present. Those commands imply system-level changes (Docker/Kubernetes/Helm operations) and potentially network activity, but the instructions provide no provenance for the scripts or limits on where they communicate. The guidance to run unspecified scripts is risky and out-of-scope for an instruction-only skill without included artifacts.
Install Mechanism
There is no install spec (instruction-only). That is low-risk in itself, but combined with references to local scripts and many capabilities it is surprising: a microservices starter would normally include files or point to a repository/release. The lack of an install/source location means there's nothing for the agent to fetch safely.
!
Credentials
The skill declares no required env vars or config paths, yet its workflow requires Docker, kubectl/cluster access, and Helm — operations that normally need kubeconfig, cloud credentials, or other secrets. The absence of any declared credential or config requirements is inconsistent and hides where cluster access would come from, increasing the chance an operator might run scripts with overly broad privileges.
Persistence & Privilege
The skill is not always-enabled and allows normal model invocation. It doesn't request persistent privileges or modify other skills. However, its instructions (if followed) can make permanent changes to the system or clusters — a capability that should require careful provenance which is not provided here.
Scan Findings in Context
[no_code_to_scan] unexpected: The regex scanner found no code because the package is instruction-only. For a 'starter' that advertises templates and scripts, we would expect files to scan; their absence is a red flag.
What to consider before installing
Do not run the listed scripts or deploy commands as-is. Ask the publisher for the repository or release that contains the referenced scripts, manifests, and Helm charts and review those files before executing anything. If you want to try this, require a complete, verifiable source (e.g., GitHub repo or packaged release) and inspect create-*/deploy/monitor scripts and all manifests for network calls, credentials usage, and destructive commands. Test in an isolated environment (local VM or disposable cluster) and avoid providing kubeconfig or cloud credentials until you have reviewed the code. Prefer skills that include their templates or link to a trusted, auditable release.

Like a lobster shell, security has layers — review code before you run it.

latestvk973c0w9ttycvd8btscyqtd8g5828t8m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments