ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DataHive Installer

v0.1.0

Automates DataHive sign-in using a magic link workflow: requests the link, retrieves it from Gmail via gog, and opens it in a Chrome DevTools tab.

0· 264·0 current·0 all-time
byMaxim Tuleyko@tuleyko
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose is to request a DataHive magic link from the API, read the email from Gmail (via gog), and open the link in a Chrome DevTools tab. That basic flow is coherent with the required binaries (gog, curl, websocat). However the scripts also force-install a Chrome extension via system-managed policies (writes /etc/opt/chrome/policies/managed/extensions.json on Linux and /Library/Managed Preferences/com.google.Chrome.plist on macOS). Forcing a system-level Chrome extension and editing managed preferences is a high-privilege, persistent action that is not clearly justified by a simple magic-link login flow. Additionally, install_websocat requires Homebrew even on Ubuntu (where the script uses apt for other packages), which is an implementation inconsistency.
!
Instruction Scope
SKILL.md directs running multiple scripts that perform privileged actions (sudo apt installs, creation of system policy files, modifying /Library/Managed Preferences). The scripts read your gog authenticated account and Gmail messages (expected for retrieving the link), but they also make persistent system changes (Chrome policy) and run a long‑running Chrome supervisor in background. The instructions assume use of sudo and do not surface that requirement in the metadata. The strict execution-order requirement plus system-wide policy changes grants the skill broad discretion over the user's browser environment beyond what's needed to just open a single link.
!
Install Mechanism
There is no registry install spec, but the included scripts perform network installs and system modifications: they add Google's apt repo and install google-chrome via apt on Linux, use Homebrew casks on macOS, and force-install an extension from clients2.google.com. Downloads are from legitimate Google endpoints (chrome repo, clients2.google.com), but the process requires sudo and writes to system policy locations. The scripts' method for installing websocat (via brew) is odd on Ubuntu and could cause failures — a sign of sloppy/unsafe assumptions. Writing system-managed browser policies is a high-risk install behavior.
!
Credentials
The skill declares no required environment variables, but it implicitly requires: sudo/root privileges to write system policies and install packages; a configured gog account (so the skill can run gog auth list and gog gmail get); and the ability to start Chrome with a remote-debugging port. Requiring system-wide Chrome policy changes and sudo is disproportionate for a task that could instead open a link in the user's browser or use a temporary browser profile. The skill will read Gmail message contents via gog (which is consistent with the stated goal), but that is sensitive and should be explicitly declared.
!
Persistence & Privilege
The skill makes persistent, system-level changes: it writes Chrome managed policies (system directories on Linux and macOS) which force-install an extension and require sudo. It also starts a background Chrome supervisor process that will persist in the user's session and writes files under $HOME/.chrome-datahive. The skill does not use always:true, but the combination of persistent system policy changes plus background supervisor increases blast radius and is a significant privilege escalation relative to just opening a login URL.
What to consider before installing
Before installing or running this skill, consider the following: - It requires sudo and will modify system-managed Chrome policies to force-install a browser extension (system-level change that persists). Ask the author why a system-wide extension is necessary and for the extension's Web Store page or source code to audit it. - The skill reads your Gmail messages via the gog CLI. Ensure gog is properly configured and you understand that the skill will fetch email contents (magic links are sensitive secrets). - The scripts assume Homebrew in places where apt would be expected (Ubuntu), which suggests sloppy or untested behavior — run this only in a sandbox or VM first. - If you need the functionality, prefer a less-privileged approach: run the sequence manually, run scripts in an isolated environment, or ask for a version that doesn't modify system policies and that documents required privileges. - If you proceed: review the extension ID (bonfdkhbkkdoipfojcnimjagphdnfedb) in the Chrome Web Store, inspect all scripts yourself, and avoid running with sudo on a production machine. If you are unsure, decline and request clarification from the publisher or run in a disposable VM/container.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a85cxs4pcb9m3xzws2x3wh582k31b

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍯 Clawdis
Binsgog, curl, websocat

Comments