ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

creator

v1.0.0

Guide for creating effective skills. This skill should be used when users want to create a new skill (or update an existing skill) that extends Claude's capabilities with specialized knowledge, workflows, or tool integrations.

0· 969·6 current·6 all-time
byvolcengine_skills@warm-wm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (a skill-creation guide) match the included files: SKILL.md, references, and helper scripts to initialize, validate, and package skills. The bundled scripts' behavior (create directories, write template files, zip a folder, basic validation) is appropriate for a skill-authoring tool.
Instruction Scope
SKILL.md and references are guidance-focused and do not instruct reading secrets or unrelated system files. They do mention executing bundled scripts (init, package, validate) — which will write files to whatever path you pass them. That's expected for a creator tool, but be aware scripts perform filesystem writes and should be run only on paths you trust.
Install Mechanism
No install spec is provided (instruction-only skill). Bundled scripts are plain Python files; nothing is downloaded or extracted at install time. No remote URLs or package installation steps are present.
Credentials
The skill requests no environment variables, credentials, or config paths. The runtime scripts use standard filesystem operations and require a Python runtime; they import PyYAML (yaml) which is expected for frontmatter parsing but is not declared as an external dependency in metadata — this is an implementation detail, not a secret request.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does include scripts that create files in user-specified locations and produce .skill zip files, which is consistent with a packaging tool; it does not modify other skills or system-wide settings.
Assessment
This skill is a template and helper-tool for creating other skills and appears internally consistent. Before running any of the included scripts, review them (they only perform filesystem operations, zipping, and YAML parsing) and ensure you run them on safe target directories. Note: quick_validate.py imports PyYAML — make sure your environment has the yaml package before running. Because the skill's owner is 'unknown' in the metadata, treat the package like any third-party code: inspect files, don't run them with elevated privileges, and only execute them if you trust the source or have reviewed the scripts.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ckrr29cvnqetj3dqenjj6ps80y658

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments