ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NPM Search

Search npm packages. Use for finding Node.js/JavaScript packages, libraries, and tools.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 1.9k · 5 current installs · 5 all-time installs
bySeth Rose@TheSethRose
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (npm package search) aligns with requiring a search helper binary and jq for output parsing. Requiring npm-search-mcp-server and jq is plausible for an npm-search wrapper, but the skill does not provide or document where npm-search-mcp-server comes from.
!
Instruction Scope
SKILL.md tells the agent to run `bash scripts/npmsearch "<query>"`, but there is no scripts/ directory or script provided by the skill. That means the agent would execute whatever `scripts/npmsearch` exists in the user's environment (or fail). Running an unspecified local script is a scope and safety concern because its behavior is unknown.
Install Mechanism
There is no install spec (instruction-only), which keeps disk footprint low. However, the skill requires a non-standard binary (npm-search-mcp-server) and provides no guidance on where to obtain it or how to verify it, increasing risk if a user blindly installs an untrusted package.
Credentials
The skill requests no environment variables, credentials, or config paths — its requested privileges are minimal and proportionate to the stated purpose.
Persistence & Privilege
The skill is not always-enabled, is user-invocable, and does not request persistent presence or elevated agent-wide privileges.
What to consider before installing
This skill is instruction-only and delegates to a local script (`scripts/npmsearch`) and to a non-standard binary (`npm-search-mcp-server`) that the skill does not supply or document. Before installing or enabling it: 1) confirm where `npm-search-mcp-server` comes from and only install a trusted upstream (official repo or release). 2) Inspect any `scripts/npmsearch` file that will be run — do not let the agent execute an unknown local script without review. 3) If you can't find or audit the script/binary, consider declining the skill or running it in a sandbox. The lack of provided code or install instructions makes the skill coherent in purpose but risky in practice.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97edzt0katr2zgbd2ms6krkds7z677ynodejsvk97edzt0katr2zgbd2ms6krkds7z677ynpmvk97edzt0katr2zgbd2ms6krkds7z677ypackage-searchvk97edzt0katr2zgbd2ms6krkds7z677y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis
Binsjq, npm-search-mcp-server

SKILL.md

NPM Search

CLI wrapper for npm-search-mcp-server.

Note: Examples show command syntax. Replace queries with the user's actual request.

Search Packages

bash scripts/npmsearch "<query>"

Command Reference

CommandDescription
npmsearch "<query>"Search npm packages

Notes

  • Requires npm-search-mcp-server installed
  • Requires jq

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…