ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Lookup

v1.0.0

Search, retrieve, and install Agent Skills from the prompts.chat registry using MCP tools. Use when the user asks to find skills, browse skill catalogs, inst...

0· 629·2 current·2 all-time
by@zhengxinjipai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the SKILL.md instructions: it searches the prompts.chat registry (via search_skills/get_skill) and saves retrieved files to .claude/skills/{slug}/. There are no unrelated env vars, binaries, or installs requested.
Instruction Scope
Instructions are focused on searching, retrieving, and saving skill files. This is expected, but the installer saves all returned files (including helper scripts/configs) with only a minimal verification step (ensure SKILL.md exists). That means arbitrary files from the registry can be persisted on disk; there is no checksum/signature verification or explicit sandboxing described.
Install Mechanism
No install spec is provided (instruction-only), so nothing is downloaded or executed by the skill itself beyond the described get_skill calls and local file writes. This is lower risk than an installer that pulls executables from arbitrary URLs.
Credentials
The skill requests no environment variables, credentials, or config paths. It only reads data returned by registry tools and writes to the .claude/skills directory as described.
!
Persistence & Privilege
The skill persists files under .claude/skills/{slug}/ which is expected for an installer, but this grants it the ability to add arbitrary skill files into the agent's skill set. Combined with normal model invocation (disable-model-invocation=false), this could allow the agent to install new skills autonomously unless carefully governed; the SKILL.md does not require explicit user confirmation beyond the user's initial request.
Assessment
This skill is coherent for its stated purpose, but it writes whatever files are returned by the registry into your .claude/skills folder with minimal verification. Before installing a skill retrieved by this tool: 1) Inspect the skill's file list and SKILL.md for unexpected helper scripts or executables; 2) Prefer skills from reputable authors or with documentation and checksums/signatures; 3) Require explicit user confirmation before saving/installing (do not allow autonomous installs), and if possible run newly installed skills in a sandbox or review their contents before enabling them; 4) If you want extra safety, only install skills that are instruction-only (SKILL.md) and avoid ones that include scripts or binaries.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ap5810b44kw6d53axq1gvpn82c7ah
629downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@zhengxinjipai
latest
Download

Workflow

  1. Search for skills matching the user's request using search_skills
  2. Present results with title, description, author, and file list
  3. If the user picks a skill, retrieve it with get_skill to get all files
  4. Install by saving files to .claude/skills/{slug}/ and verify the SKILL.md exists
  5. Confirm installation and explain what the skill does and when it activates

Example

search_skills({"query": "code review", "limit": 5, "category": "coding"})
get_skill({"id": "abc123"})

Available Tools

Use these prompts.chat MCP tools:

  • search_skills - Search for skills by keyword
  • get_skill - Get a specific skill by ID with all its files

How to Search for Skills

Call search_skills with:

  • query: The search keywords from the user's request
  • limit: Number of results (default 10, max 50)
  • category: Filter by category slug (e.g., "coding", "automation")
  • tag: Filter by tag slug

Present results showing:

  • Title and description
  • Author name
  • File list (SKILL.md, reference docs, scripts)
  • Category and tags
  • Link to the skill

How to Get a Skill

Call get_skill with:

  • id: The skill ID

Returns the skill metadata and all file contents:

  • SKILL.md (main instructions)
  • Reference documentation
  • Helper scripts
  • Configuration files

How to Install a Skill

When the user asks to install a skill:

  1. Call get_skill to retrieve all files
  2. Create the directory .claude/skills/{slug}/
  3. Save each file to the appropriate location:
    • SKILL.md.claude/skills/{slug}/SKILL.md
    • Other files → .claude/skills/{slug}/{filename}
  4. Read back SKILL.md to verify the frontmatter is intact

Guidelines

  • Always search before suggesting the user create their own skill
  • Present search results in a readable format with file counts
  • When installing, confirm the skill was saved successfully
  • Explain what the skill does and when it activates

Comments

Loading comments...