ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Labradoc Cli

v1.0.0

Use the Labradoc CLI to authenticate and call Labradoc API endpoints (tasks, files, users, API keys, email, Google/Microsoft integrations, billing) from Open...

0· 343·0 current·0 all-time
byMarc Arndt@zamedic
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description, SKILL.md, README, and the included Go source implement a CLI for Labradoc API operations (tasks, files, auth, integrations, billing). The requested behaviors (API token or OAuth, reading config, storing tokens) are expected for this purpose.
Instruction Scope
SKILL.md instructs downloading the CLI from GitHub Releases and using API token or OAuth; it documents config precedence and commands. The runtime instructions and code only reference API endpoints for Labradoc and local config/token files. The OAuth flow opens a localhost callback (standard) and tokens are stored under the user config directory (~/.config/labradoc/cli), which matches the documentation.
Install Mechanism
No automated install spec in registry; SKILL.md recommends fetching prebuilt binaries from GitHub Releases (https://github.com/zamedic/labradoc-cli/releases). Fetching binaries from GitHub releases is common but users should verify authenticity (checksums/signatures) before running third-party binaries.
Credentials
The skill uses API tokens or OAuth and documents environment variables (API_TOKEN, API_URL, KEYCLOAK_URL, etc.) and config files. The registry metadata lists no required env vars; that is not harmful but means the skill treats those vars as optional overrides. Token storage on disk (~/.config/labradoc/cli/token.json and pkce.json) is expected for OAuth flows.
Persistence & Privilege
The skill does not request permanent 'always' inclusion, does not alter other skills, and only persists its own tokens/config under the user config directory. Autonomous invocation is allowed by default but is not combined with other concerning privileges.
Assessment
This skill appears to be what it says: a Labradoc CLI client. Before installing or running the binary: 1) verify the binary comes from the official repository and check cryptographic checksums/signatures if available; 2) review the README/SKILL.md and the command list so you understand what data can be uploaded or requested (files upload, file search, API key creation, etc.); 3) note that OAuth uses a local HTTP callback and tokens are stored under ~/.config/labradoc/cli (clear them with 'labradoc auth logout' if needed); 4) be careful if you override --api-url or API_URL — pointing it at an unfamiliar endpoint could send your tokens/data elsewhere; and 5) if you want extra assurance, build the CLI locally from the included source rather than running a prebuilt binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ze4ymq0144a95ce0knbny9824z57

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments