ClawHub

Realtime Collab App

v1.0.0

Enables building real-time collaborative apps with features like whiteboard, live code editing, chat, CRDT sync, and presence indicators.

0· 252·1 current·1 all-time
by@sunshine-del-ux
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (build realtime collab apps) aligns with the instructions (create and run a collab app). However the skill provides no code, no scripts, no repo link or homepage — so the declared capability cannot actually be delivered from the bundled files. That mismatch (declared functionality but no deliverable artifacts) is unexpected.
!
Instruction Scope
SKILL.md instructs running ./create-collab.sh and ./dev.sh (local shell scripts) and requires Node.js and Redis. The instructions are minimal and vague (no definition of what those scripts do, no safe defaults). Directing an agent or user to execute unspecified shell scripts gives broad discretionary power and could execute arbitrary code; since the scripts are not included, the instructions are incomplete and open-ended.
Install Mechanism
There is no install spec and no files to download or install. From an installation-risk perspective this is low-risk because nothing will be written by the skill itself. The missing install artifacts are the main problem (functionality can't be verified).
Credentials
The skill does not request environment variables, credentials, or config paths. Node.js and Redis are listed as runtime requirements which are reasonable for this type of project. No secret or unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and allows normal agent invocation. It does not request persistent presence or modify other skills. There are no elevated privileges declared.
What to consider before installing
Do not install or run this skill as-is. The SKILL.md references local scripts (./create-collab.sh, ./dev.sh) that are not included — running unknown scripts can execute arbitrary code. Before using: 1) Ask the publisher for the full source (repository or packaged scripts) and a homepage or authoritative repo (e.g., GitHub). 2) Review the actual scripts and code for network endpoints, data exfiltration, or credential use. 3) If you must test, run in an isolated sandbox/VM with no sensitive credentials and no network access until you verify it. 4) Prefer skills with clear provenance, versioned releases, and included source code. If the author cannot provide code or a reputable source, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e54h6b1pc8hqm4b9e57mw9d8284td

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments