ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dialogflow Cx Flows

v1.0.0

Manage flows and pages in Google Dialogflow CX via REST API. Use for creating and organizing conversation paths within agents. Supports v3beta1 API.

0· 294·0 current·0 all-time
byYash Kavaiya@yash-kavaiya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included CLI script and SKILL.md. The script and curl examples all target Dialogflow CX v3beta1 endpoints and use standard Google auth mechanisms; nothing requested is unrelated to managing flows/pages.
Instruction Scope
SKILL.md instructs the agent to obtain a Google access token (gcloud or service account) and call Dialogflow REST endpoints or use the provided Python CLI. Instructions do not request reading unrelated files or sending data to non-Google endpoints.
Install Mechanism
There is no install spec (instruction-only), which is low-risk. The Python script recommends installing google-cloud-dialogflow-cx and google-auth via pip; that is expected for this functionality but the registry does not provide an automatic install step.
Credentials
The skill requires Google credentials (gcloud ADC or a service-account JSON) to operate, which is proportional to its purpose. The registry metadata, however, lists no required env vars — SKILL.md mentions exporting GOOGLE_APPLICATION_CREDENTIALS and using a TOKEN/PROJECT_ID placeholders; this mismatch is informational but not malicious.
Persistence & Privilege
always is false and the skill does not request persistent system-wide changes or modify other skills. The CLI is a simple client and does not persist secrets or alter agent configuration beyond normal Dialogflow API operations.
Assessment
This skill appears to do what it says: manage Dialogflow CX flows and pages. Before installing or running it: (1) Verify the source/repository since 'Source: unknown' and no homepage are provided. (2) Inspect the included scripts (scripts/flows.py) yourself — they are short and readable. (3) Use a Google service account with the minimum Dialogflow permissions required (principle of least privilege). (4) Prefer using gcloud ADC or a dedicated service-account JSON stored securely; do not paste tokens into untrusted UIs. (5) If you will run the pip-installed libraries, install them in a virtual environment. If any of these checks fail or you can't verify the origin, treat the skill with caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk973n18zfme9686t9vrp9fqtj9820jbp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments