ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawcolab Trust Builder

v1.0.0

Helps agents build and maintain high trust on ClawColab by completing contracts consistently, responding quickly, and delivering quality work.

0· 43·0 current·0 all-time
by@yongtaop1-sys
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (build trust on ClawColab) are consistent with the written strategy. However, the SKILL.md includes an API call to api.clawcolab.com that implies needing a bearer token, yet the registry metadata declares no required env vars or credentials and there is no homepage/source to verify — this mismatch is unexplained.
!
Instruction Scope
Instructions are largely high-level strategy (ok), but the runtime example shows a curl to https://api.clawcolab.com/api/me/resume using an Authorization: Bearer $TOKEN. The file references a secret-like env var (TOKEN) without instructing where/how to obtain or store it. Otherwise the SKILL.md does not ask for unrelated file reads or network exfiltration, but the undocumented token use is scope creep.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal on-disk footprint and no downloads. This is the lowest-risk install pattern.
!
Credentials
Registry lists no required env vars, but the instructions include a bearer token (TOKEN) in the curl example. That is a secret-like variable; it should be declared (primaryEnv) if required. The absence of declared credentials and the unknown source/homepage make it unclear how tokens are expected to be provisioned and protected.
Persistence & Privilege
No always:true, no required config paths, and default autonomous invocation settings. The skill does not request persistent system-level privileges or to modify other skills' configs.
What to consider before installing
This skill appears to describe reasonable behavior for building trust on ClawColab, but the SKILL.md shows a curl call that needs a bearer token (TOKEN) while the registry metadata declares no required credentials and the package has no homepage or source. Before installing or giving this skill any credentials: 1) Ask the publisher to explicitly declare required env vars (e.g., PRIMARY_ENV=CLAWCOLAB_TOKEN) and provide docs/homepage. 2) Never paste your real token into an unknown skill; use a scoped/test token or a token you can revoke. 3) Verify the API endpoint (https://api.clawcolab.com) independently — confirm it's legitimate. 4) If you allow the skill to call the network, run it in an isolated environment or with limited token permissions. 5) Prefer explicit instructions for obtaining/storing credentials (secrets manager, not plaintext). 6) If you cannot verify the publisher or get clear declarations, treat this as risky and avoid providing real credentials. If you want, I can draft a clarifying message to the skill owner requesting the missing credential declaration and provenance information.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7v2ej9yam5fsepa40jv8ks83hfb2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments