ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-seekers

v0.1.0

Convert documentation, GitHub repos, PDFs, codebases, videos, and more into structured AI skills using the skill-seekers CLI. Use this skill whenever the use...

0· 26·0 current·0 all-time
byMisha Kolesnik@tenequm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md behavior (scraping websites, GitHub, local codebases, PDFs, videos, packaging and uploading skills) matches the skill name/description. However, the registry metadata lists no required env vars or credentials while the instructions repeatedly reference API keys/tokens (Anthropic, Google, GitHub, Chroma/Weaviate, etc.) and config paths — an inconsistency between declared requirements and actual usage.
Instruction Scope
Instructions stay within the stated purpose: extracting from many source types, analyzing code, enhancing with AI, packaging and uploading. They explicitly instruct network scraping, reading local directories, and optionally reading chat exports (Slack/Discord) — all expected for this tool. There are no unexpected instructions to read unrelated system secrets, but the commands do enable broad data collection and external uploads.
Install Mechanism
The registry contains no install spec (instruction-only), but SKILL.md tells users to `pip install skill-seekers` and includes Docker/GitHub Actions examples that run pip install. Installing an external PyPI package is a normal delivery mechanism for a CLI, but it carries the usual risk of running third-party code (network access, file writes, daemons). The package source (PyPI/project homepage) is not provided in the registry, which reduces transparency.
!
Credentials
The manifest declares no required environment variables or primary credential, but the instructions reference many credentials and config locations: ANTHROPIC_API_KEY, GOOGLE_API_KEY, GITHUB_TOKEN, platform API keys, database/Chroma/Weaviate URLs, and ~/.config/skill-seekers/workflows. That mismatch is concerning: the tool expects secrets and remote endpoints that are not declared in metadata. Users should assume multiple service credentials may be required and that those credentials could be used to fetch or upload data.
Persistence & Privilege
always:false and no code shipped in the skill registry reduces immediate privilege concerns. However, the tool supports background/daemon enhancement modes, copying packages into agent directories (`install-agent`), writing custom workflows under `~/.config/skill-seekers/`, and uploading packages to external platforms — all of which can create persistent processes or artifacts once the third‑party CLI is installed. The skill itself does not request forced persistent inclusion, but installing the CLI could enable persistence.
What to consider before installing
This skill description and CLI docs are plausible for a tool that converts docs/repos/videos into AI skills, but there are noteworthy red flags and things to verify before trusting it. What to watch for - Declared vs actual requirements: The registry lists no credentials but the docs expect many API keys (Anthropic, Google, GitHub, Chroma/Weaviate, etc.). Treat that as an inconsistency — expect to supply secrets if you use it. - Third‑party install: SKILL.md tells you to `pip install skill-seekers`. Installing an external package runs arbitrary code on your machine and can access network and files. Only install from a verified source (official PyPI project page, vetted repo). If the registry doesn’t point to a homepage or repo, that’s a transparency gap. - Data exposure: The tool scrapes websites, reads local code and documents, can ingest chat exports, and can upload packaged skills to external services. Don’t run it against private data or supply secrets until you’ve audited the package. - Persistence: It supports `--daemon` and `install-agent` modes and writes workflows to ~/.config. These create longer-lived processes or files; be cautious and prefer one-off runs first. Practical steps before using 1. Find the package source: locate the PyPI page or canonical Git repo for `skill-seekers` and review the code, maintainer, and recent releases. If you can’t find a trusted source, do not install. 2. Run in isolation: test inside a disposable VM or container (or sandboxed environment). Avoid running against sensitive directories or providing production credentials. 3. Use least privilege keys: if you must provide API tokens, create tokens with the minimum scope and expiration, and do not reuse high-privilege keys. 4. Dry-run / --dry-run first: use dry-run or `--no-upload` options where available to see what it would do. 5. Inspect generated outputs and network activity: watch for unexpected uploads or connections (use network monitoring) and inspect files written to ~/.config or output directories. 6. Prefer local-only flags: avoid `--no-rate-limit`, `--daemon`, and background uploads until you trust the package. If you want, I can: (a) summarize the specific env vars and commands the SKILL.md references, (b) suggest a minimal safe command to test in a container, or (c) help draft a checklist to audit the package source before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976x9p7af8cn8ch1gnt6vvrbx84557f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments