ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Turf Skills

v1.0.2

**ALWAYS use this skill immediately** when the user mentions any spatial analysis, geospatial operations, coordinate calculations, or GeoJSON processing task...

0· 75·0 current·0 all-time
by@zhyt1985
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Turf spatial operations) matches the bundled code and package-lock which depend on @turf/* modules. Required capabilities (file input, many turf actions) are appropriate for the stated purpose. Minor doc wording is aggressive ('ALWAYS use this skill immediately') but that is a policy recommendation in SKILL.md rather than a mismatch with required permissions.
Instruction Scope
SKILL.md instructs use for GeoJSON/coordinate tasks and shows CLI invocation patterns. The runtime code only reads inputs provided via --input/--file/--input2/--file2 and writes output to --output or stdout. There are no instructions to read other system state, environment variables, or transmit data to third-party endpoints.
Install Mechanism
Registry shows no install spec (instruction-only), but the package includes Node.js CLI code and a standard package-lock.json referencing npm registry tarballs for Turf packages — no custom downloads, obscure URLs, or archive extracts. The skill requires Node.js runtime (compatibility Node >=16) which is expected.
Credentials
The skill declares no required environment variables, credentials, or config paths. The codebase likewise does not access process.env for secrets. No disproportionate credential access is requested.
Persistence & Privilege
The skill is not marked always:true. Autonomous invocation is allowed by default (disable-model-invocation:false), which is normal for skills. SKILL.md's 'always use' language could lead an agent to prefer this skill for geography tasks; combine that with autonomous invocation if you want to control automatic use.
Assessment
This skill appears to be a straightforward Turf.js CLI wrapper and is internally coherent. Before installing: (1) verify the package source (homepage is missing in metadata and owner is unknown) or prefer the official npm/turf ecosystem; (2) audit package.json/package-lock and run npm audit locally; (3) be careful when passing --file or --file2: the tool will read any filesystem path you provide, so do not point it at sensitive files (credentials, private configs); (4) if you don't want the agent to call it automatically whenever geography terms appear, consider disabling autonomous invocation or restricting skill usage policies; (5) note small metadata mismatches (package-lock shows 1.0.1 while SKILL.md/version is 1.0.2) — you may want to confirm the intended release/version from the author.
test/test.js:13
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f69r1dxgfnsacqq6jehw04183m7rj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments