ClawHub

SkillMarket

v1.0.1

Use this skill to find, explore, and install new skills from the Zerone Skill Market (https://api.zerone.market/api). Trigger this when the user asks to "add...

0· 229·1 current·1 all-time
byZero@zerone-agent
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included script and SKILL.md: the skill queries https://api.zerone.market/api for listing, info, and install tutorials. No unrelated credentials, binaries, or platform accesses are requested.
Instruction Scope
SKILL.md instructs the agent to fetch listings/info/install tutorials and to require explicit user approval before executing any install commands. This stays within the marketplace purpose. Reminder: the marketplace may return arbitrary install commands (clone, curl, run scripts) — the skill delegates the decision to the user, which is appropriate but risky in practice.
Install Mechanism
There is no automated install spec and the included scripts only perform HTTPS GETs to the declared endpoint and print JSON/text. No archives are downloaded or executed by the skill itself, lowering local install risk.
Credentials
The skill declares no required environment variables or credentials and the code does not read environment secrets. It only needs network access to the marketplace endpoint, which is proportional to its stated function.
Persistence & Privilege
always is false and the skill does not request special system privileges or modify other skills. It does instruct placing installed skills under .agent/skills/ (expected for an installer).
Assessment
This skill is coherent for discovering and fetching install tutorials from an external marketplace, but the marketplace content can include arbitrary shell/git commands. Before approving any install: 1) Inspect the exact commands the marketplace returns — do not run them without review. 2) Avoid one-line remote-exec patterns like curl|sh or sudo unless you trust the publisher. 3) Prefer installers that come from well-known repos/releases or provide checksums/signatures; verify them if provided. 4) Run unfamiliar installs in a sandboxed environment or review the skill code after download. 5) If you want an extra safety layer, ask the agent to only fetch the tutorial but require you to perform the actual install steps manually.

Like a lobster shell, security has layers — review code before you run it.

latestvk977wdyg6rttbg565nvngtp6a182vq62

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments