Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Search & Verify
v1.0.3Safely search and review Clawhub skills by keyword, showing details and risk before asking for explicit approval to install.
⭐ 0· 935·5 current·6 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description claim a safe 'search & verify' helper and the included cli-wrapper.sh does perform a Clawhub search and basic risk scoring — that part is coherent. However the SKILL.md promises additional behaviors (sandboxing, never executing, full verification, and an install step) that are missing or incomplete, so the declared purpose is not fully realized by the implementation.
Instruction Scope
SKILL.md repeatedly claims 'no filesystem write or exec capability' and 'logs every search and decision to [blank]'; the script does execute the 'clawhub' CLI (an exec) and appends to logs/clawhub-search.log (a filesystem write). SKILL.md also contains blank placeholders for commands and the post-approval install step is not implemented in the script. These contradictions expand the agent's effective scope beyond what the doc claims.
Install Mechanism
No install spec is present; this is an instruction-only skill with a small wrapper script. No remote downloads or package installs are requested by the skill itself.
Credentials
The skill declares no required env vars or credentials, which is proportionate for a search wrapper. However it writes a local log file (logs/clawhub-search.log) and claims to log decisions (the script logs only searches), so there is an unexplained filesystem side effect despite the 'no-write' claim.
Persistence & Privilege
always is false, it does not declare persistent presence, and it doesn't modify other skills or global agent config. Its ability to execute the 'clawhub' CLI means it can trigger network activity indirectly via that CLI, which is expected for this purpose but worth noting.
What to consider before installing
This skill appears to be a simple wrapper around the 'clawhub' CLI to show top search results, but the documentation (SKILL.md) is incomplete and self-contradictory. Before installing or enabling it, ask the author to: 1) remove placeholder text and clearly document the exact commands used; 2) reconcile the sandbox/no-write/no-exec claims with the script (either make it truly read-only or remove the claim); 3) implement and show the approval + install flow if the skill will perform installs (currently it only prompts but does not execute installs); 4) make logging explicit and configurable (current script appends to logs/clawhub-search.log); and 5) fix parsing bugs (e.g., download counts with commas will break numeric comparisons). If you still want to test it, run it in an isolated environment where creating 'logs/' and executing the 'clawhub' CLI are safe, and inspect the output and any created files. Because of the mismatches and missing pieces, treat this skill as untrusted until the author fixes the documentation and implementation.Like a lobster shell, security has layers — review code before you run it.
automationvk978xp86ek2nft681t33n1fy5581exgvlatestvk978xp86ek2nft681t33n1fy5581exgvno-shellvk978xp86ek2nft681t33n1fy5581exgvsafevk978xp86ek2nft681t33n1fy5581exgvtrustedvk978xp86ek2nft681t33n1fy5581exgvverifyvk978xp86ek2nft681t33n1fy5581exgv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.