ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ainative Vue Sdk

v1.0.0

Use @ainative/vue-sdk to add AI chat to Vue 3 apps. Use when (1) Installing @ainative/vue-sdk, (2) Using the useChat composable in Vue components, (3) Provid...

0· 51·1 current·1 all-time
byToby Morning@urbantech
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the instructions: the document describes installing an @ainative/vue-sdk and using its Vue 3 composables (useChat, useCredits, provideAINative). That purpose is consistent with the content. However, the examples clearly expect an AINative API key (import.meta.env.VITE_AINATIVE_API_KEY / runtimeConfig public values) even though the skill metadata declares no required environment variables or primary credential.
Instruction Scope
The SKILL.md stays within scope: it shows npm install, import and usage examples, and references api.ainative.studio as the API endpoint. It does not instruct reading arbitrary system files or unrelated credentials. Minor scope issue: it directs the developer to place an API key in client-side env examples (VITE_ / public runtimeConfig) which has security implications and is not declared in the skill metadata.
Install Mechanism
There is no install spec in the skill bundle (instruction-only). The README recommends 'npm install @ainative/vue-sdk', which is a standard, low-risk package install path. No downloads from arbitrary URLs or archive extraction are present in the skill metadata.
!
Credentials
The SKILL.md demonstrates use of an AINative API key (VITE_AINATIVE_API_KEY / runtimeConfig.public.ainativeApiKey) to call https://api.ainative.studio, but the skill metadata lists no required environment variables or primary credential. The SDK legitimately needs an API key to function — the metadata omission is an inconsistency and a practical concern. There are no other unrelated credentials requested.
Persistence & Privilege
Flags show always: false and no special privileges. The skill is instruction-only and does not request persistent presence or system-wide configuration changes.
What to consider before installing
This skill's README looks like ordinary usage documentation for a Vue SDK, but be aware of two points before installing/using it: (1) The examples require an AINative API key and send chat data to https://api.ainative.studio — confirm you trust that service and its privacy practices. (2) The skill metadata does not declare the API key as a required env var; that mismatch could be an oversight. Do these steps before proceeding: verify the npm package @ainative/vue-sdk exists on the public registry and inspect its source (or GitHub repo/homepage) to ensure code matches the docs; don't embed secret keys in client-bundled public env values — prefer a server-side proxy or keep keys in server-only envs; review network endpoints the package calls; and only install if you trust the package owner and the API endpoint. If you want higher assurance, ask the publisher for a repository/homepage and audit the package contents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788kqjsftmkw4c2d271ra9ex83g894

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments