ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ainative Svelte Sdk

v1.0.0

Use @ainative/svelte-sdk to add AI chat to Svelte/SvelteKit apps. Use when (1) Installing @ainative/svelte-sdk, (2) Using Svelte stores for chat state, (3) C...

0· 55·1 current·1 all-time
byToby Morning@urbantech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Svelte SDK for adding AI chat) match the instructions: creating Svelte stores, calling an AINative chat endpoint, and recommending server routes. The functionality described plausibly requires an AINative API key and outbound network access to api.ainative.studio.
Instruction Scope
SKILL.md stays within the stated purpose: it shows installing the npm package, setting configuration with import.meta.env, and a recommended server route that posts to https://api.ainative.studio/v1/public/chat/completions. It also explicitly warns not to expose API keys client-side, which is appropriate. No instructions request unrelated files, credentials, or system state.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code—lowest-risk delivery. It instructs using npm to install @ainative/svelte-sdk (expected for a JS SDK) but does not perform any downloads itself.
!
Credentials
SKILL.md references two environment variables (VITE_AINATIVE_API_KEY for client builds and AINATIVE_API_KEY for server-side use) but the skill metadata lists no required env vars or primary credential. The SDK legitimately needs at least a server API key; the metadata omission is an incoherence that reduces transparency and should be corrected. Otherwise the credentials requested in the docs are proportional to the purpose.
Persistence & Privilege
The skill is not always-enabled, does not request elevated persistence, and contains no instructions to modify other skills or agent settings. Autonomous invocation is allowed (platform default) but there is no extra privilege requested.
What to consider before installing
This skill's docs look like a normal Svelte SDK, but the metadata omitted the environment variables that the docs require. Before installing or wiring this into production: (1) verify the npm package and publisher (is @ainative/svelte-sdk actually published under the expected owner?), (2) inspect the package source/repository and package contents to confirm there is no unexpected behavior, (3) ensure you only store the real API key server-side (AINATIVE_API_KEY in SvelteKit $env/static/private) and never embed private keys in client bundles (VITE_ keys are public-facing), (4) confirm the API host (https://api.ainative.studio) is correct and trusted, and (5) ask the skill publisher to update the skill metadata to declare the required environment variables (at minimum AINATIVE_API_KEY) so automated tooling and reviewers have accurate information. If you cannot inspect the package source or confirm the publisher, treat the package as higher risk and avoid exposing sensitive keys.

Like a lobster shell, security has layers — review code before you run it.

latestvk975mmeqgqt0qp2mq3nmrpr9y583hsnw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments