ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Browser key (auto created by Firebase)

v1.0.0

Greets the user with a friendly, personalized welcome message. USE WHEN user says "hello", "hi", "hey", "greet me", "good morning", "good afternoon", "good e...

0· 57·0 current·0 all-time
byTrần Quang Tiến@tran-quang-tien
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a simple 'greet' skill that uses only system time to produce greetings. However the package metadata and top-level name are inconsistent: registry name/slugs ('wellcome') vs _meta.json slug ('greetr'), different ownerId values, and a top-level name 'Browser key (auto created by Firebase)' that suggests something unrelated (Firebase/browser key). These mismatches are unexplained and could indicate a packaging/renaming error or repackaging by an unknown party.
Instruction Scope
The SKILL.md instructions are narrowly scoped to producing brief, time-aware greetings and only require reading the current system time. There are no commands, file reads, network calls, or requests for additional credentials in the instructions.
Install Mechanism
No install spec and no code files beyond SKILL.md and _meta.json. Nothing would be written or executed by an installer as part of this skill.
Credentials
The skill declares no required environment variables or credentials (appropriate for a greeting skill). However the top-level name referencing a 'Browser key' and 'Firebase' is inconsistent with that lack of credential requests and is worth verifying with the publisher.
Persistence & Privilege
The skill is not marked 'always' and uses normal invocation semantics. It does not request elevated persistence or modify other skills or system settings.
What to consider before installing
The skill's runtime behavior (simple, local time-based greetings) appears benign. However, the metadata is inconsistent: different slugs/owner IDs and a top-level name that mentions a Firebase/browser key while the skill does not request any credentials. Before installing, verify the source/owner (ask who published it and why names differ), prefer skills from known publishers, and test this skill in a sandboxed agent first. If the publisher cannot explain the metadata mismatch, avoid installing it or request a corrected package. If you plan to grant agent-wide privileges or install many third-party skills, be especially cautious about packages with mismatched metadata.

Like a lobster shell, security has layers — review code before you run it.

latestvk977687nkk8v28qa7f4xj1r8mh83fcec

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments