ClawHub

Clawaudit

v0.1.0

Official repo for clawaudit, coming soon as an automated security checker for repositories.

1· 1.8k·4 current·4 all-time
byte_za@tezatezaz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The description promises an 'automated security checker for repositories' but there are no instructions, no code, no dependencies, and no required credentials. That mismatch (capability promised but not implemented) is incoherent — it looks like a placeholder rather than a working skill.
Instruction Scope
SKILL.md contains only a short placeholder description and two external URLs (clawaudit.duckdns.org and a logo.png). It does not instruct the agent to read local files, access credentials, or perform actions, but the presence of an external URL means the agent could be directed to fetch remote content later if the skill is updated.
Install Mechanism
No install spec and no code files are present — lowest-risk configuration. Nothing will be written to disk by the skill itself as provided.
Credentials
The skill requests no environment variables, credentials, or config paths — there is no apparent need for secrets in its current placeholder form.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (the platform default). There is no indication the skill requests elevated or persistent privileges.
What to consider before installing
This package is essentially a placeholder: it claims to be an automated security checker but contains no code or instructions and links to a DuckDNS host. That alone isn't evidence of malware, but it's incomplete and comes from an unknown source. Recommended actions before installing or trusting it: 1) Wait for a proper release with an install spec, source repository, and published code (preferably on a reputable host like github.com). 2) Verify the owning entity and an official homepage/contact. 3) Treat the duckdns URL as untrusted — do not provide credentials or secrets to the skill or its site. 4) If you must test it, do so in an isolated environment without access to sensitive data. If you need a working repo-audit tool now, prefer well-known alternatives with published code and documentation.

Like a lobster shell, security has layers — review code before you run it.

latestvk977qg47jhw11wx4vqc59xfaen80g4na

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments