ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ucm

v1.1.1

Provides API marketplace access for AI agents. Discovers and calls external capabilities including web search, image generation, code execution, text-to-spee...

2· 594·0 current·0 all-time
byUCM.AI@ucmai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (API marketplace) match the declared credential (UCM_API_KEY), the SKILL.md lists many API services and endpoints, and the included register.sh registers an agent with registry.ucm.ai — all expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to make network calls (curl/HTTP) to UCM endpoints and documents service payloads; it does not instruct reading unrelated system files or additional environment variables beyond UCM_API_KEY. Allowed tools (curl, grep) are appropriate for the documented operations.
Install Mechanism
No install spec is present (instruction-only), lowering disk/installation risk. The only included script is a simple registration helper that uses curl/jq/python3; there are no downloads from untrusted URLs or archive extraction.
Credentials
Only a single credential (UCM_API_KEY) is required and is consistent with an API gateway/marketplace. No unrelated secrets or cloud credentials are requested.
Persistence & Privilege
always:false and autonomous invocation are normal. The provided register.sh writes credentials to ~/.config/ucm/credentials.json and prints the API key — expected for a CLI registration helper but worth noting because credentials are stored in plaintext JSON and printed to stdout.
Assessment
This skill appears internally consistent with an API marketplace aggregator, but consider the following before installing: (1) network access is required and calls to the marketplace will transmit request data and parameters off‑device — avoid sending sensitive secrets or private data to the service. (2) The registration script saves your API key to ~/.config/ucm/credentials.json and prints it to stdout; treat the key like any API secret and secure that file. (3) Calls to UCM are paid per endpoint — review pricing and quotas to avoid unexpected charges. (4) Verify the service (https://ucm.ai and registry.ucm.ai) and its privacy/policy terms if you plan to send user data. (5) If you need stronger local security, avoid using the registration helper and instead manage the key manually in a secure keystore.

Like a lobster shell, security has layers — review code before you run it.

latestvk971a9zzvrhgsy69yq57qh69zs81m83r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvUCM_API_KEY
Primary envUCM_API_KEY

Comments