Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
crafty-controller
v1.0.0Use this skill whenever the user wants to interact with a Crafty Controller instance via its REST API. Triggers include: managing Minecraft servers, starting...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the SKILL.md: the instructions implement a Crafty Controller REST client and cover server, console, backups, files, etc. However, the skill metadata claims no required credentials or config, while the SKILL.md explicitly requires a Crafty API key and host — this mismatch is incoherent and makes it unclear how an agent should be configured securely.
Instruction Scope
The SKILL.md stays within the Crafty API domain (listing/creating servers, console commands, backups, file operations). However it instructs the user/agent to place sensitive values (CRAFTY_API_KEY, CRAFTY_HOST) directly into the code file and to call requests with verify=False while suppressing SSL warnings—both practices broaden the attack surface and are insecure for production. There is no instruction to read environment variables or other system files, but the explicit advice to embed secrets in the code is concerning.
Install Mechanism
There is no install spec and no code files; this is an instruction-only skill. It suggests installing Python packages via pip (requests, urllib3), which is expected for a Python helper and is proportionate to the stated purpose.
Credentials
Registry metadata lists no required env vars or primary credential, yet the SKILL.md requires a Crafty API key and host to function. The skill asks the user to hardcode the API key in the skill file rather than declare or reference an environment credential — an inconsistency that increases risk and reduces clarity about what secrets the agent will need.
Persistence & Privilege
The skill does not request always:true, does not include an install script, and does not declare system-wide config changes. Autonomous invocation is allowed (the platform default) but is not combined with other privileged behaviors in the package metadata.
What to consider before installing
This skill implements a coherent Crafty Controller API client, but there are practical and security issues you should address before installing or using it: (1) The package metadata does not declare that an API key (CRAFTY_API_KEY) and host are required — treat that as required and supply it securely. (2) Do NOT hardcode your API key into the SKILL.md or other plaintext files; provide it via a secure environment variable or secret manager and update the instructions to read from env vars. (3) Avoid verify=False and disabling TLS warnings on production hosts; instead install a valid certificate or explicitly document that the connection is only for local/self-hosted testing. (4) Confirm you trust the skill source (there is no homepage or known owner) before granting it access to any Crafty instance. If you intend to use this in an automated agent, update the skill to declare primaryEnv (e.g., CRAFTY_API_KEY) in metadata and remove insecure TLS workarounds.Like a lobster shell, security has layers — review code before you run it.
latestvk97dakycr4hzzbft552h72c2c1841qjz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.