Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hey summon
v0.1.0-betaRequest expert help by submitting queries to the HeySummon platform, which routes them to registered human providers for assistance.
⭐ 0· 324·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's name/description (submit queries to HeySummon) matches the scripts' purpose (submit-request, platform watcher, provider registration). However the published registry metadata declares no required environment variables or credentials while the SKILL.md and scripts clearly require HEYSUMMON_API_KEY, HEYSUMMON_NOTIFY_TARGET, HEYSUMMON_* path variables and implicitly read an OpenClaw gateway token from the user's home (~/.openclaw/openclaw.json). The missing declared requirements are an incoherence and should have been declared in the registry metadata.
Instruction Scope
The runtime instructions and scripts do more than just call the HeySummon API: the platform-watcher reads the OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to call the local OpenClaw tools/invoke endpoint; submit-request and add-provider store client API keys in providers.json; crypto keypairs are generated and stored under .keys; platform-watcher creates a persistent SSE listener (pm2/nohup). These actions access and persist sensitive local config and create persistent processes that are not obvious from minimal description text. The watcher also fetches message bodies from the platform and will attempt to decrypt/display them — all of which are within the skill's purpose but expand the runtime access surface significantly.
Install Mechanism
There is no install spec (instruction-only), so no external downloads or archive extraction are performed by an installer. That lowers supply-chain risk. However included helper scripts (auto-sync.sh) will auto-commit and push all repo changes to origin/main if run (a non-trivial action). The skill also expects Node, curl, jq, pm2 which are standard but not declared in registry metadata. No remote binary download URLs are present.
Credentials
The skill legitimately needs a HeySummon client API key (HEYSUMMON_API_KEY) and notify-target settings, but it also reads the OpenClaw gateway token directly from the user's home directory (not declared as a required env). It stores provider client keys in providers.json and keypairs in .keys. The auto-sync script can push whatever is in the repo (potentially including misconfigured .env or providers.json) to GitHub. Requesting and reading the OpenClaw gateway token (an unrelated platform credential) is disproportionate to a simple 'submit request' description and should be explicit and optional.
Persistence & Privilege
The skill spawns a persistent background watcher (pm2 or nohup) that runs continuously and writes state to .requests, .keys, .seen-events.txt and may be auto-started by submit-request. It does not use always:true in metadata, but it does install a long-running local component and can auto-start itself. Combined with the credential access and local file writes, this persistent presence materially increases blast radius if the skill or its config are compromised.
What to consider before installing
This skill appears to do what it claims (send requests to HeySummon) but contains several behaviours you should review before installing:
- Registry metadata omits required credentials: the scripts and SKILL.md expect HEYSUMMON_API_KEY, HEYSUMMON_NOTIFY_TARGET and path variables, but the published requirements list none. Treat that as a red flag.
- The platform-watcher reads your OpenClaw gateway token from ~/.openclaw/openclaw.json and uses it to call the local OpenClaw tools endpoint. That token is sensitive and belongs to another subsystem; confirm you are comfortable granting the skill that access and prefer an explicit env var if possible.
- Providers' client API keys are written to providers.json and keypairs to .keys; ensure those files are gitignored and permissioned (chmod 600/700). Note the included auto-sync.sh will run git add -A; if you run it (or cron-enable it) it can accidentally commit and push secrets if .gitignore is misconfigured — disable or remove auto-sync unless you audited the repo's ignores.
- The watcher runs persistently (pm2/nohup). If you don't want long-running background processes, do not run setup.sh and instead invoke submit-request manually. Inspect platform-watcher.sh to ensure it behaves as you expect.
- If you plan to install: audit .env/.gitignore, remove or disable auto-sync.sh, consider replacing the implicit home-directory token lookup with an explicit HEYSUMMON_OPENCLAW_TOKEN env var, and run the watcher in a sandbox or limited-account environment first. If you do not trust the HeySummon platform or the provider keys you're registering, do not run the skill.
Overall: coherent functionality but several un-declared and sensitive local accesses — proceed only after auditing and adjusting the scripts to match your security requirements.Like a lobster shell, security has layers — review code before you run it.
latestvk97fc59jatg5vt3meyw2hkwvkn8218gr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.