Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
GoodVerify
v0.1.0Verify emails, phones, and addresses using the goodverify CLI. Use when the user asks to verify contact data, check deliverability, validate an address, look...
⭐ 1· 54·0 current·0 all-time
byThomas Brewer@themusicman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes exactly the expected capabilities (email, phone, address verification) and requires a goodverify CLI and API key — that is coherent with the stated purpose. However, the registry metadata lists no required binaries or environment variables, which contradicts the SKILL.md. The missing declaration of an API credential and CLI requirement is an inconsistency that should be explained.
Instruction Scope
Runtime instructions tell the agent to check/install/configure the goodverify CLI, ask users for API keys/base URL, and run verification and batch commands. While the verification commands themselves are scoped to the purpose, the instructions explicitly recommend executing a remote install script (curl -fsSL https://raw.githubusercontent.com/.../install.sh | sh) — this is an instruction to download and execute arbitrary code. The SKILL.md also mentions sk_* (read-write) keys are required for batch operations; instructing the agent/user to provide such keys without constraints increases risk.
Install Mechanism
There is no formal install spec in registry metadata, but the instructions advise a curl | sh from a raw.githubusercontent.com URL. Downloading and piping a remote install script for execution is higher-risk than using a vetted package release or distribution package. The URL is a direct raw GitHub path rather than a pinned release archive, increasing the risk of tampering or surprise changes.
Credentials
The registry metadata declares no required environment variables or primary credential, but the SKILL.md clearly requires a goodverify.dev API key and refers to read-write sk_* keys for batches and pk_* read-only keys. This mismatch is significant: the skill will need sensitive API keys to function, but those needs are not declared in metadata. The skill does not request unrelated credentials, but failing to declare the required secret in metadata makes it harder for users to spot and audit.
Persistence & Privilege
The skill itself is instruction-only and not always-enabled; it does not declare privileged persistent behavior. However, the SKILL.md instructs installation of a CLI which would create software on the user's system and persist configuration (including API keys) — an action with lasting effect that the user must explicitly approve. This persistence is not reflected in the registry metadata.
What to consider before installing
What to consider before installing: 1) The skill's metadata omits the API key and CLI dependency described in SKILL.md — treat that as a red flag and ask the publisher to correct the metadata. 2) The SKILL.md recommends running curl ... | sh from a raw GitHub URL; do not run that blindly. Instead, inspect the install.sh content (view the file in the repo or clone the repo), prefer a signed/released package, or ask for an installation method from an official release. 3) Only provide a read-only (pk_*) key to the agent when possible; avoid giving sk_* read-write keys to an agent or pasting them into chat. 4) If you must use this tool, confirm the repository owner, pin a specific commit or release, and review the install script for harmful behavior. 5) Request that the skill metadata be updated to declare required binaries and environment variables (API key, CLI) before installing so you can perform an informed risk assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk970rskz7fbc2e92ddyscbxt3183c2x4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.