ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Publisher

v1.0.0

Create, validate, security-scan, and publish skills to ClawHub. Use when asked to "make a skill", "publish a skill", "create a new skill", "scaffold a skill"...

0· 535·1 current·1 all-time
byAsh Bhat@theashbhat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the included scripts (scaffold, validate, security-scan, publish). However the runtime expects the 'clawhub' CLI (publish.sh checks for it and calls 'clawhub publish') yet the registry metadata lists no required binaries — mismatch. The package is labeled 'instruction-only' (no install spec) but includes executable scripts; that is not inherently wrong but should be reflected in declared requirements.
!
Instruction Scope
SKILL.md instructs running the bundled scripts, which is appropriate, but publish.sh constructs a command string and executes it with eval — using data extracted from SKILL.md (skill name) and user arguments without robust sanitization. An attacker could craft a SKILL.md or slug containing characters that break quoting and inject additional shell commands. security-scan.sh intentionally skips checking the canonical script files (publish/validate/scaffold/security-scan) when searching for dangerous patterns, which reduces its effectiveness and could allow malicious content to hide in those scripts. The publish flow also exposes flags to skip checks (--skip-checks) or ignore scan failures (--force), increasing risk if used without care.
Install Mechanism
No install spec (instruction-only) and scripts are shipped as plain files. This is low-risk in terms of automatic code downloads or opaque install steps. Nothing is fetched from unknown URLs during install by the skill itself.
Credentials
The skill declares no required environment variables or credentials, and the scripts do not demand secrets to run. The security-scan.sh actively checks for env-harvesting patterns in scanned skills, which is good. However, the scanner excludes its own control scripts from some checks, and publish/validate use data from SKILL.md and CLI args — so environment/metadata-based injection is a possibility even without declared credentials.
Persistence & Privilege
always is false and there is no indication the skill requests persistent privileges or modifies other skills or global agent configs. It does require the user's explicit invocation to publish, and it depends on an external clawhub CLI to actually push packages.
Scan Findings in Context
[use_of_eval_in_publish_sh] unexpected: publish.sh builds a PUBLISH_CMD string and runs eval "$PUBLISH_CMD". Executing constructed shell strings with eval is dangerous if inputs (SKILL.md fields, slug, version) are not strictly sanitized; a publishing tool could avoid eval by exec'ing with arrays.
[command_injection_risk_via_skill_name] unexpected: publish.sh extracts SKILL_NAME from SKILL.md and appends it into the command string; SKILL.md is user-editable and may contain characters to break quoting. This presents a command-injection risk during publishing.
[missing_required_binary_declaration] expected: The workflow clearly needs the 'clawhub' CLI (publish.sh checks for it and calls 'clawhub publish'), so declaring required binaries would be expected; absence in the declared requirements is an inconsistency that could confuse users.
[scanner_excludes_core_scripts_from_checks] unexpected: security-scan.sh explicitly skips checking its own control scripts (security-scan|publish|validate|scaffold). This weakens the scanner because a malicious author could embed dangerous patterns in those files and they would be ignored by the scanner's pattern checks.
What to consider before installing
This tool generally does what it says (scaffold/validate/scan/publish), but do not run publish.sh blindly. Before using: 1) Inspect SKILL.md (especially the name field) for any suspicious characters; avoid publishing skills whose SKILL.md contains untrusted or unreviewed text. 2) Replace the eval usage in publish.sh with a safer exec model (use an array to call clawhub with arguments) or ensure strict sanitization of slug/name/version inputs. 3) Avoid using --skip-checks or --force unless you understand and accept the risk. 4) Add 'clawhub' to the declared required binaries so users know the dependency. 5) Consider modifying security-scan.sh to also check the core scripts (or have an external reviewer) because it currently skips them. If you cannot review or fix these issues, treat this skill as untrusted and do not use it to publish code to ClawHub.

Like a lobster shell, security has layers — review code before you run it.

latestvk970dkvxpracv4gmr4tzedfjgs81jygz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments