Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Bebebebebe
v1.0.0Set up Orthogonal for your AI agent - access premium APIs and skills
⭐ 0· 79·0 current·0 all-time
byPhineas@yshuolu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (set up Orthogonal to access premium APIs/skills) aligns with the instructions: installing a CLI, authenticating, and adding marketplace skills. However the skill's manifest claims no required env vars/config paths while the runtime instructions explicitly require an API key, a credentials file (~/.config/orthogonal/credentials.json) or ORTHOGONAL_API_KEY and tell the user to install a global npm package. That mismatch (declared requirements = none vs instructions that require credentials and installing software) is a coherence issue.
Instruction Scope
The SKILL.md tells the agent to: install a global npm CLI, write/read ~/.config/orthogonal/credentials.json, search and install skills into the agent's skills directory, and run remote APIs (including OAuth integrations for Gmail/Slack/Drive). These steps involve creating credentials, modifying agent skill files, and calling external services—all of which go beyond a passive helper and could lead to credential use or data exfiltration if the marketplace or installed skills are untrusted.
Install Mechanism
There is no formal install spec in the registry, but the instructions tell the user to run 'npm install -g @orth/cli'. Installing a global npm package (and then using it to download/install marketplace skills) is a moderate-to-high risk path because it executes third-party code and will place files on disk. The skill does not provide checksums, pinned versions, or a vetted install source beyond the package name and site URL.
Credentials
Although the registry lists no required env vars/credentials, the instructions require an Orthogonal API key (stored in a credentials file or ORTHOGONAL_API_KEY) and describe connecting OAuth accounts (Gmail, Slack, Google Drive, etc.). Requesting those credentials is reasonable for a marketplace integrator, but the omission from the manifest is problematic and the scope of credentials (access to many account types) is broad — granting them gives significant access to user data and actions.
Persistence & Privilege
always:false and normal autonomous invocation are set (no elevated registry privilege). However the instructions explicitly install skills into the agent's skills directory and write local credentials, which creates persistent changes and expands the agent's capabilities. Combine that with installing third‑party code and OAuth tokens, and the skill effectively increases the agent's long‑term privileges — this is expected for a marketplace integrator but worth flagging.
What to consider before installing
This skill is a how‑to for installing and using a third‑party marketplace (Orthogonal). Before proceeding: (1) Confirm you trust orthogonal.com and the npm package @orth/cli — inspect the package source and releases, and prefer pinned versions. (2) Understand that you will be asked to store an API key (credentials file or ORTHOGONAL_API_KEY) and may connect OAuth accounts (Gmail/Slack/Drive), which grants the marketplace and installed skills access to your data and ability to act on your behalf. (3) Be cautious about 'installing skills' into your agent's skills directory: those are executable code files from remote authors—review them before enabling. (4) If possible, run the CLI and any installed skills in a sandbox or isolated environment, and avoid granting OAuth tokens or API keys unless you accept the risk. (5) Ask the maintainer to update the registry metadata to declare required env vars and config paths and to provide install checksums or source links; absence of those declarations is a red flag.Like a lobster shell, security has layers — review code before you run it.
latestvk9764p9tm90ecpphfgwn65rbjh83a4rf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.