ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TeamApp Admin

v1.0.0

Use when interacting with TeamApp club admin JSON endpoints on teamapp.com to create/read/update News articles and Schedule events, and to resolve Team and A...

0· 51·0 current·0 all-time
bySteve G@thed000d
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, SKILL.md, and the included api-map and wrapper script all align with managing TeamApp club admin JSON endpoints (news, events, teams, access groups). However the registry metadata claims no required env vars while the wrapper script and SKILL.md require a sensitive TA_AUTH_TOKEN cookie; examples also reference TA_CLUB_ID which is not declared. The lack of a homepage or known source reduces provenance.
Instruction Scope
Runtime instructions are focused on reading JSON schemas and using the provided wrapper to call TeamApp endpoints; they do not instruct the agent to read arbitrary system files. The wrapper enforces session bootstrapping, CSRF extraction, and cookie management which are reasonable for the stated purpose. However examples reference an undeclared TA_CLUB_ID env var and the instructions insist on injecting a browser cookie value (TA_AUTH_TOKEN), a sensitive credential.
Install Mechanism
There is no install spec (instruction-only with one shell wrapper file). Nothing is downloaded or installed by the skill, which keeps install risk low.
!
Credentials
The script requires TA_AUTH_TOKEN (the ta_auth_token cookie) — a sensitive credential appropriate for web session actions, but the registry metadata falsely lists no required env vars. Examples also use TA_CLUB_ID but it is not declared. Requesting a live session cookie is proportionate to the capability but the metadata/instructions mismatch and lack of provenance are concerning.
Persistence & Privilege
The skill does not request always:true, does not modify other skills or system-wide configs, and only writes temporary files under /tmp for cookies/CSRF. Autonomy is allowed (default) but that is normal for skills.
What to consider before installing
This skill appears to implement TeamApp admin operations and includes a shell wrapper that requires your browser's ta_auth_token cookie (TA_AUTH_TOKEN) and likely a TA_CLUB_ID environment variable. Before installing or using it: 1) Verify the publisher/source (there is no homepage listed). 2) Understand that you must supply a live session cookie — treat it like a password: do not share it with untrusted code. 3) Prefer using an account with limited privileges and rotate the cookie after use. 4) Confirm the registry metadata is corrected to list TA_AUTH_TOKEN (and TA_CLUB_ID if required). 5) Optionally review/scan the wrapper script yourself (it is short and only talks to teamapp.com and the user-provided URLs). If you cannot verify the author or are unwilling to provide a session cookie, do not install or use this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk973218wvswzfxpdcxeq94h34183fqtx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments