ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Readme Maker

v2.0.0

Design beautiful GitHub profile READMEs with templates. Use when styling profiles, validating badges, generating stat widgets, formatting bio sections.

0· 104·0 current·0 all-time
by@bytesagain1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (README templating, linting, formatting) align with the included shell script and SKILL.md: commands, logging, export, preview, diff, and stats are implemented and expected for a devtool of this type.
Instruction Scope
SKILL.md and the script are focused on local README tooling and persistent local logs. The runtime instructions and script only read/write files under the user's home data dir and use standard Unix utilities; they do not access unrelated system paths or external endpoints.
Install Mechanism
No install spec is provided (instruction-only with an included script). There is no network download or package install; the script runs locally. This is the lowest-risk install pattern.
Credentials
The skill requires no environment variables, no credentials, and no config paths beyond creating ~/.local/share/readme-maker. Nothing requested appears disproportionate to a README devtool.
Persistence & Privilege
The script creates and writes persistent logs under ~/.local/share/readme-maker (history and per-command logs) which is consistent with its described behavior. It is not 'always: true' and does not modify other skills or global agent settings.
Assessment
This skill appears internally consistent and only stores data locally in ~/.local/share/readme-maker. Before installing or running it: (1) review the script if you plan to log sensitive content—entries are saved verbatim and exported without JSON escaping; avoid logging secrets or tokens; (2) confirm you are comfortable with a new directory and log files in your $HOME; (3) if you will run it in CI, ensure pipeline secrets are not passed to the tool (it has no sanitization); (4) verify the publisher (BytesAgain) via bytesagain.com or the provided contact if you need provenance. If you want extra caution, run the script in a sandboxed account/container to observe behavior first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e6wh2r5cq8znestx68ezfx98356rc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments