ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Advisor

v1.1.0

Evaluate OpenClaw skills before installation. Use when user wants to check a skill's safety, dependencies, popularity, or get an installation recommendation....

0· 93·0 current·0 all-time
by@tobewin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: SKILL.md instructs the agent to fetch skill metadata and SKILL.md from ClawHub and produce an assessment. Required binary (curl) is appropriate and proportional.
Instruction Scope
Instructions direct network fetches of arbitrary skill metadata and SKILL.md from ClawHub and run local Python parsing. This is expected for an advisor tool, but fetching and processing arbitrary remote content can expose the agent to untrusted inputs (e.g., misleading SKILL.md text, URLs). The skill does not instruct reading unrelated local files or exfiltrating secrets.
Install Mechanism
No install spec and no code files beyond SKILL.md and a license — lowest-risk delivery model (instruction-only). Nothing is downloaded or written by an installer.
Credentials
No environment variables, credentials, or config paths are required. The lack of requested secrets is proportionate to the stated purpose. Note: if the platform's ClawHub API required authentication in practice, that would be a separate credential consideration (not declared here).
Persistence & Privilege
always:false and no special privileges or modifications to other skills or system settings. The skill does not request permanent agent presence beyond normal invocation.
Assessment
This skill appears coherent and low-risk because it is instruction-only and only uses curl to fetch ClawHub skill metadata. Before using it: (1) confirm your agent/platform does not require providing any ClawHub API keys — if an API key is later needed, evaluate whether that credential is appropriate to share; (2) treat its output as advisory: manually inspect any fetched SKILL.md and metadata for suspicious links or hidden endpoints; (3) avoid allowing the agent to fetch private or internal skill names that could expose internal data; and (4) do not rely solely on automated conclusions—use the report to guide a manual review. If you want higher assurance, test the skill with a well-known public skill name first and inspect the network activity logs.

Like a lobster shell, security has layers — review code before you run it.

latestvk975eekbevqtqh1t49b68m72cd83ftp9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binscurl

Comments