ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Felo Mindmap

v1.0.0

Generate mindmaps with Felo Mindmap API in Claude Code. Use when users ask to create/make/generate mindmaps, mind maps, or thinking maps, or when explicit co...

0· 57·0 current·0 all-time
bywangzhiming@wangzhiming1999
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's code and SKILL.md implement mindmap creation via Felo's API (POST to https://openapi.felo.ai/v2/mindmap), which matches the name/description. However, the manifest declares no required environment variables or binaries while the runtime expects FELO_API_KEY (mandatory) and optionally FELO_API_BASE, and a Node runtime (node). Those omissions are inconsistent with the stated purpose and deployment metadata.
Instruction Scope
The SKILL.md keeps to the declared purpose: run a node script that sends the user's prompt and layout to the Felo API and returns mindmap_url. It instructs the agent to run shell/node commands and to read FELO_API_KEY from the environment; it does not request unrelated files or credentials. Note that user prompts are transmitted to a third-party API (Felo).
Install Mechanism
No install spec or external downloads are present; the skill is instruction + a small local node script. This is low install risk (nothing fetched at install time).
!
Credentials
The runtime requires an API key (FELO_API_KEY) and supports FELO_API_BASE, but the registry metadata lists no required env vars or primary credential. The discrepancy means the manifest understates the credential need. FELO_API_KEY grants the skill access to the user's Felo account and will be sent as a Bearer token to the API; this is expected but should be declared in the manifest. Also, the script expects a node binary but the manifest lists none.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and has no install step that persists beyond its files. It only runs when invoked and requires no elevated privileges.
What to consider before installing
This skill appears to perform the advertised task (POST your prompt to Felo and return a mindmap URL) but the package metadata is incomplete. Before installing or providing credentials: (1) verify you are comfortable sending prompts/data to https://openapi.felo.ai (prompts will be transmitted with your FELO_API_KEY in Authorization header); (2) supply FELO_API_KEY only after confirming the skill source (homepage is missing and the registry owner ID is opaque); (3) ensure your agent environment has node available (the script runs with `node ...`) or the script will fail; (4) be aware the code also honors FELO_API_BASE (undocumented in the manifest) — do not set it to an untrusted host; (5) consider testing with non-sensitive prompts and a scoped/test API key first; and (6) ask the publisher to update the manifest to declare FELO_API_KEY and the node requirement (and to publish a homepage/repo) so the capability and requirements are coherent.
scripts/run_mindmap_task.mjs:157
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973da3t4e5vgfqcy2sbbv3h1x83y8ps

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments