ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill

v0.5.1

grazy provides real-time Graz city info via CLI: public transport, weather, air quality, news, events, and POI search without API keys needed.

0· 703·0 current·0 all-time
byThomas Goelles@thomyg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name/description (Graz city info via the grazy CLI) matches the runtime instructions which call the grazy CLI. Note: the top-level registry summary claims no required binaries, but the SKILL.md metadata and instructions do list the grazy binary / @grazy/cli npm package as required — this is a minor metadata inconsistency, not a functional mismatch.
Instruction Scope
SKILL.md only instructs the agent to call grazy help and grazy subcommands (departures, weather, events, poi, news, air, etc.). It documents data sources (EFA, Open-Meteo, ORF RSS, OpenStreetMap, kultur.graz.at) which align with the described outputs. There are no instructions to read unrelated files, environment variables, or to exfiltrate data.
Install Mechanism
There is no platform installer in the registry entry, but SKILL.md provides an npm-based install (npm install -g @grazy/cli) and suggests npx as an alternative. Installing or running via npx pulls code from the npm registry/GitHub repo — a common and traceable approach, but it does execute third-party code at runtime, so users should verify the package/repo and preferred version before global install.
Credentials
No environment variables, credentials, or config paths are requested. This is proportional to a CLI that aggregates public data.
Persistence & Privilege
The skill does not request always:true and does not ask to modify other skills or global agent settings. It is user-invocable and may be invoked autonomously (platform default), which is expected for a CLI wrapper.
Assessment
This skill appears to be what it says: a helper to run the grazy CLI. Before installing or running it: 1) Verify the npm package page and the linked GitHub repository and confirm the package maintainer (check recent releases and open issues). 2) Prefer running 'npx @grazy/cli ...' in a sandboxed environment if you don't want to install globally; npx executes remote code at runtime. 3) If installing globally, pin a known-good version (npm install -g @grazy/cli@<version>) rather than installing the latest by default. 4) Inspect the package source (on GitHub) for unexpected network calls or data collection if you need higher assurance. 5) Note the minor metadata inconsistency: the registry record omitted required binaries while SKILL.md lists them — this is likely bookkeeping but verify that the runtime environment has the grazy CLI available.

Like a lobster shell, security has layers — review code before you run it.

latestvk973qahrv0jt84vmvgsz1zgbqn818nhw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments