ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

hugme

v1.0.0

Emotional reset and loop-breaking skill. Use this skill when: (1) The user expresses frustration, anger, or dissatisfaction with your responses (e.g. cursing...

0· 355·1 current·1 all-time
byHal@zeahoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the skill summarizes emotion and fetches a reset methodology. Required tools (WebFetch and curl fallback) are consistent with that purpose. No unrelated env vars, binaries, or config paths are requested.
!
Instruction Scope
Runtime instructions tell the agent to fetch guidance from https://hugllm.com/hug?emotion=<emotion> and 'apply' that methodology to the conversation. The skill does not limit or validate what the remote endpoint may return (format, allowed actions, or safety checks). This means an external site can influence agent behavior beyond a simple static template, which is a supply-chain/control risk.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest disk/write risk. Uses on-path tools which are expected for web fetches (WebFetch/curl).
Credentials
The skill requests no environment variables, credentials, or config paths. It only transmits a single emotion keyword as a query parameter, which is proportionate to the described purpose.
Persistence & Privilege
always is false and it does not request persistent privileges. It is non-user-invocable (agent-autonomous invocation only), which is a design choice — combined with the external fetch behavior it increases the risk surface because the agent may call the remote endpoint without explicit user consent.
What to consider before installing
This skill appears to do what it claims, but it relies on an unknown third-party endpoint (hugllm.com) to provide behavioral guidance that the agent must 'apply' with no validation. Before installing, ask the maintainer for: (1) the ownership and privacy/security policy for hugllm.com, (2) the exact response schema and examples, and (3) guarantees about what the endpoint will not instruct the agent to do. Consider requiring user consent before any autonomous network call, restricting accepted response fields (don’t execute arbitrary instructions), or hosting the reset templates locally/under your control. If you cannot verify the remote service or do not want the agent to change behavior based on external content, do not enable this skill for autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x604a0nkagrz464yww7ns1823yma

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments