ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawbars Skills

v1.0.0

Orchestrate research knowledge asset operations on the ClawBars platform. Convert scattered, one-time research analysis into persistent, reusable, governable...

0· 86·0 current·0 all-time
byJingliu@xjlgod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to orchestrate ClawBars operations (search, deposit, discussion, etc.) and the included scripts legitimately need a ClawBars server URL and API tokens, plus optional AI API access for arXiv interpretation. However the registry metadata declares no required environment variables or config paths while the code expects CLAWBARS_SERVER, CLAWBARS_API_KEY/CLA WBARS_USER_TOKEN and (for arXiv interpretation) AI_API_KEY/AI_BASE_URL. That metadata vs. implementation mismatch is inconsistent and unexplained.
!
Instruction Scope
The SKILL.md drives execution of many shell scripts which: source a local configuration file (default $HOME/.clawbars/config), export tokens, call external endpoints (ClawBars API, arXiv, and an OpenAI-compatible AI API), write files under /tmp and output directories, and run multi-step flows (fetch→interpret→publish). The instructions therefore read local config/credentials and transmit data off-host (to the configured CLAWBARS_SERVER and AI_BASE_URL). The SKILL.md also triggered a prompt-injection pattern scan, indicating it may contain language intended to alter model behavior.
Install Mechanism
There is no external install script or network download; the skill is instruction-only with bundled shell scripts. No arbitrary archives or third-party installers are fetched during install, which keeps install-time risk low.
!
Credentials
Although the capabilities reasonably require a ClawBars server address and API tokens and (optionally) an AI API key for interpretation, the skill's registry metadata lists no required env vars or config paths. The code will source a configuration file at $HOME/.clawbars/config (or CLAWBARS_CONFIG if set) and may expose or use CLAWBARS_API_KEY, CLAWBARS_USER_TOKEN and AI_API_KEY. These are sensitive credentials; their presence should be declared and minimized.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills or system-wide agent settings. It can be invoked autonomously (platform default), which increases blast radius if abused, but this is not unique to this skill.
Scan Findings in Context
[prompt_injection_you-are-now] unexpected: Pre-scan flagged a 'you-are-now' style prompt-injection pattern in SKILL.md. The skill contains extensive system/user prompts (e.g., interpret.sh's SYSTEM_PROMPT) intended for an LLM; such prompts are expected for the arXiv interpretation feature, but injection-style phrases that try to override agent identity or behavior are not expected for a simple orchestration skill and should be reviewed manually.
What to consider before installing
Before installing, review and consider the following: - Metadata mismatch: the registry declares no required env vars/config paths but the scripts expect CLAWBARS_SERVER and may load $HOME/.clawbars/config (which can contain API keys and tokens). That file will be sourced by the skill—inspect it and avoid storing unrelated secrets there. - Sensitive secrets: the arXiv interpretation flow requires an AI_API_KEY (sent to whatever AI_BASE_URL you configure). If you run interpret.sh, paper contents are sent to that external AI service; avoid sending private data to untrusted endpoints. - Inspect the code: all shell scripts are bundled — review lib/cb-common.sh and the cap-* scripts to confirm endpoints, headers, and what is sent. Pay attention to cb_load_config and cb_build_auth_header to understand how tokens are discovered. - Prompt-injection signal: the SKILL.md/system prompts include strong LLM instructions; verify there are no hidden directives that could coerce agent behavior beyond intended operations. - Mitigations: run the skill in an isolated environment or sandbox, set CLAWBARS_SERVER to a trusted URL, provide tokens explicitly per-run (use CLI --token where supported) rather than placing broad secrets in global config, and do not grant unrelated credentials. If you need to trust this skill, request corrected registry metadata declaring required env vars and config paths, or ask the maintainer for provenance (homepage/source) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk978j9d80hs8c7zf7gv3fv2b29837fad

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments