ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ainative Nextjs Sdk

v1.0.0

Use @ainative/next-sdk to add AI chat to Next.js apps (App Router + Pages Router). Use when (1) Installing @ainative/next-sdk, (2) Setting up a streaming cha...

0· 47·1 current·1 all-time
byToby Morning@urbantech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes an @ainative/next-sdk for adding AI chat to Next.js apps which matches the name and description. However, the manifest lists no required environment variables or primary credential while the runtime examples consistently require an AINATIVE_API_KEY. That omission is an inconsistency between claimed metadata and actual usage.
Instruction Scope
The instructions are narrowly scoped to installing and using the Next.js SDK: creating server clients, streaming responses, middleware, and client-side usage. They explicitly warn not to expose the API key to the client and do not instruct reading unrelated files or credentials.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; that reduces surface risk because nothing is written or executed by the skill itself. The SKILL.md recommends 'npm install @ainative/next-sdk' (a normal package install).
!
Credentials
The SDK examples require an AINATIVE_API_KEY (and show adding it to .env.local), but the skill metadata did not declare any required env vars or a primary credential. Requesting an API key for the service is reasonable for this capability, but the manifest omission is a discrepancy that could hide expected credential use or mislead automation.
Persistence & Privilege
always:false and default agent invocation settings are used. The skill does not request persistent presence or modify other skills. No privileged or permanent agent-level settings are requested.
What to consider before installing
This SKILL.md looks like legitimate usage documentation for a Next.js SDK, but the manifest fails to declare the AINATIVE_API_KEY that the examples require. Before installing or wiring this into an app: 1) Verify the package source on npm and the repository (confirm maintainer, stars, release history). 2) Confirm the exact environment variable name and required permission scope for the API key; treat the key as a secret and only set it for server-side usage. 3) Prefer installing from the official npm package (check integrity/versions) rather than blindly copying code from an unknown source. 4) If you are automating skill installation, update the manifest to explicitly declare AINATIVE_API_KEY (or ask the publisher to do so) so tooling and reviewers understand the required credential. 5) Rotate the key and limit its permissions if possible. The main actionable concern is the metadata mismatch — it may be an oversight, but verify before granting or storing secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk9765v5xn15eevxm8earcb772583hydn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments