Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hormuzmonitorskills
v1.3.0Monitor Strait of Hormuz shipping traffic from JMIC, Iranian sources, and news aggregation. Write findings to MONITOR_LOG.md. Auto-update website data after...
⭐ 0· 56·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the instructions (fetch maritime sources, aggregate, append MONITOR_LOG.md, update website). However, the workflow expects a local website repo and a deployment script (~/hormuz-website/scripts/update_and_deploy.sh) and to push to GitHub/Vercel, but the skill declares no credentials or config requirements for that access — this is an unexplained assumption.
Instruction Scope
SKILL.md instructs the agent to fetch multiple web sources and conduct web searches (expected). It also instructs reading and modifying MONITOR_LOG.md (expected). Major concern: it explicitly runs a local shell command (exec bash ~/hormuz-website/scripts/update_and_deploy.sh). That script path could contain arbitrary commands; the skill gives no constraints or verification steps. Alert delivery is underspecified (where/how to send immediate alerts), granting broad discretion to the agent to use available channels.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by the skill itself aside from appending to MONITOR_LOG.md (in the workspace).
Credentials
The skill declares no required environment variables or credentials but expects to push site changes to GitHub and relies on a local deployment script. Pushing to GitHub / Vercel normally requires repository credentials or SSH keys; the skill does not request or document these, which is an inconsistency. Also, executing a user-local script may access other credentials or sensitive repo state unexpectedly.
Persistence & Privilege
always is false and autonomous invocation is allowed (platform default). The skill does not request permanent elevated presence. The only notable privilege is the ability to modify MONITOR_LOG.md and execute a script in the user's home directory, but this is not persistent privilege by itself.
What to consider before installing
This skill appears to do what it says (monitor sources, append a structured log, and update a website), but it assumes a local website repo and a deploy script that will be executed and will push data to GitHub/Vercel. Before installing or enabling: 1) Inspect ~/hormuz-website/scripts/update_and_deploy.sh (or ensure it exists and is trusted); do not let the skill execute an unknown script. 2) Confirm where alerts will be sent and which channels the agent may use (email, chat, webhooks, etc.). 3) Consider running the skill in an isolated environment (container or separate account) if you don't want MONITOR_LOG.md or pushes to be able to access other files/credentials. 4) If you do not want data pushed to external services, remove or sandbox the deploy step or ensure the repo has no sensitive content and that push keys/credentials are limited. 5) If possible, require explicit environment variables or configuration documenting the GitHub/Vercel auth and review those credentials' scope before granting them.Like a lobster shell, security has layers — review code before you run it.
latestvk9742qrpn2pzse494p6yrd8yns83yqj5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.