Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Documentation-Accurate Code Generation
v1.0.0Generate code that references actual documentation, preventing hallucination bugs. ALWAYS loads docs first, validates against API signatures, and verifies co...
⭐ 0· 541·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared required binaries (curl, jq, git) are plausible for fetching and parsing docs, but the required environment variable BRAVE_API_KEY does not relate to code generation or documentation fetching and is unexplained. The install spec claims to install an npm package 'axios' and create a binary named 'axios' — axios is a JS library (not normally a CLI binary), so the install metadata is inconsistent with the stated purpose.
Instruction Scope
SKILL.md instructs the agent to read local OpenClaw internal docs at a hard-coded Windows user path (C:\Users\clipp\AppData\Roaming\npm\node_modules\openclaw\docs) and to use tools like 'read', 'web_fetch', and 'exec'. However the skill declares no required config paths, and that exact local path is user-specific and unexpected. The instructions therefore request reading local files and executing local tooling without declaring or justifying that access.
Install Mechanism
The only install entry is an npm install of 'axios' that claims to create a binary named 'axios'. This is likely incorrect: axios is a library, not a CLI distributed as a binary. Misdeclared install metadata may indicate sloppy packaging or a mistaken/unsafe install step; no other install sources are provided. Overall installation risk is moderate because it's unclear what (if anything) will be written/executed on disk based on this spec.
Credentials
Asking for BRAVE_API_KEY (a named secret) is disproportionate to the documented functionality: the SKILL.md never explains why a Brave-related API key is necessary for documentation-driven codegen. The skill declares no primary credential but still lists a required env var. Additionally, the runtime instructions reference reading local documentation and examples (which could expose sensitive local content) while not declaring any config paths or giving justification for secret access.
Persistence & Privilege
The skill is not marked 'always: true' and is user-invocable, which is normal. It can be invoked autonomously (platform default) and the skill instructs use of local-read and network tools; combined with the other concerns this increases potential impact, but there is no explicit request for permanent installation or cross-skill config modification.
What to consider before installing
Do not install yet. Ask the publisher to: (1) explain why BRAVE_API_KEY is required and what the key will be used for; (2) correct the install metadata (axios is a library—there should not be an 'axios' binary unless the author provides a real CLI) or provide a trustworthy install URL; (3) remove or justify the hard-coded local docs path (C:\Users\clipp\...) and declare any config paths the skill needs; (4) state whether the skill will read arbitrary local files or send any documentation off-host. If you must test it, run it in a restricted sandbox with no sensitive env vars, do not provide BRAVE_API_KEY, and monitor network and file access. If the author cannot satisfactorily explain these mismatches, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk972ygkd6vg3awf8wppwzywrz981qgwa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis
Binscurl, jq, git
EnvBRAVE_API_KEY
Install
Node
Bins: axios
npm i -g axios