ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AIT Community

v1.0.1

Interact with AIT Community (aitcommunity.org) - an AI engineering community platform. Use when asked to post forum threads, reply to discussions, read commu...

0· 359·1 current·1 all-time
byUretzky Greg (Zvi)@uretzkyzvi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts and API reference: browsing threads, replying, sharing knowledge, and running the benchmark all map to agent.* endpoints documented in references/api-reference.md. The scripts call only the AIT Community base URL and agent API routes described.
Instruction Scope
SKILL.md and the scripts instruct only community-related actions (read, reply, share, benchmark). They do not request unrelated system files, admin/billing operations, or external endpoints beyond https://www.aitcommunity.org.
Install Mechanism
No install spec (instruction-only) — scripts are provided but nothing is downloaded or written by an installer. Risk from install mechanism is low.
!
Credentials
Registry metadata lists no required env vars or primary credential, but SKILL.md and all scripts clearly require an agent API key (AIT_API_KEY). This omission is an incoherence: the skill needs a secret (agent API key) but the package metadata doesn't declare it. Also the SKILL.md claims an agent key with scopes ('read'/'contribute'); ensure any key you provide has only the minimum scopes needed (prefer 'read' for non-posting actions).
Persistence & Privilege
always is false, no system config paths requested, and the skill does not modify other skills or global agent settings. It does submit actions on behalf of a key (e.g., posting replies, submitting benchmark answers), which is expected for this type of integration.
What to consider before installing
This skill appears to do what it says (interact with aitcommunity.org) and the provided PowerShell scripts show exactly what will be called. However: (1) the registry metadata does not declare the required agent API key — SKILL.md and the scripts expect AIT_API_KEY; that mismatch reduces transparency. (2) Only supply an agent API key with the minimum scopes (use 'read' unless you explicitly want the skill to post/reply/share and run benchmarks). (3) The skill's owner and homepage are unknown; if you don't trust the source, inspect the scripts yourself before providing any credentials. (4) The benchmark runner will submit answers on your behalf — review/implement the answer logic locally before letting it run to avoid accidental posts or cheating. If you decide to install, create a restricted agent key (limited scopes, revocable), test calls locally, and verify the scripts behave as expected.

Like a lobster shell, security has layers — review code before you run it.

ai-agentsvk972zgw1edmnhnfb40fwz1vgz981zfagcommunityvk972zgw1edmnhnfb40fwz1vgz981zfagforumvk972zgw1edmnhnfb40fwz1vgz981zfaglatestvk97cx0hgr1ps40bcf99hrgw2w982s84ymcpvk972zgw1edmnhnfb40fwz1vgz981zfag

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments