ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Creator Assistant

v1.0.0

Guides non-technical users through targeted questions to create complete OpenClaw skills without coding, including SKILL.md and optional GitHub upload.

0· 41·0 current·0 all-time
by@zihaowyt5525-max
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the content: it guides users through questions and generates SKILL.md/README. The optional GitHub/ClawHub upload feature is plausible for this purpose, though it isn't specified in the declared requirements.
Instruction Scope
SKILL.md stays focused on conversational generation of skill metadata and templates. However, it includes an optional 'GitHub Upload' flow that prescribes commands (e.g., `gh repo create`) and repo creation/upload — actions that involve external credentials and side effects not fully described in the declared requirements.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk by default. This is the lowest install risk.
Credentials
The registry declares no required environment variables or binaries, but the SKILL.md assumes the capability to create GitHub repos/upload files. Uploading will require either the GitHub CLI ('gh') or a GitHub token (GITHUB_TOKEN) and possibly ClawHub credentials; these are not declared. The missing declaration is a proportionality/clarity gap: the skill itself does not inherently need secrets to generate SKILL.md, but the optional upload does.
Persistence & Privilege
always=false and normal user-invocable/autonomous invocation settings. The skill does not request permanent presence or system-wide config changes.
What to consider before installing
This skill appears to do what it says: guide a conversation and emit SKILL.md content. The main concern is the optional upload step. If you use the GitHub/ClawHub upload feature, the agent or skill may ask for credentials (GitHub CLI access or a personal access token). Before providing any token/credentials: (1) prefer to have the skill generate the SKILL.md locally and inspect the file yourself; (2) avoid pasting secrets into chat—use your own local CLI or GitHub web UI to create repos; (3) if you do provide credentials, use a least-privileged token (repo scope only) and revoke it after use; (4) confirm where 'ClawHub' uploads go and whether it is trustworthy. If you need stronger assurance, ask the author to explicitly declare required binaries (gh) and env vars (GITHUB_TOKEN) or restrict the skill so it does not perform uploads autonomously.

Like a lobster shell, security has layers — review code before you run it.

assistantvk9726j30vrn8nkyax3gwxh4fks83xx09creationvk9726j30vrn8nkyax3gwxh4fks83xx09latestvk9726j30vrn8nkyax3gwxh4fks83xx09no-codevk9726j30vrn8nkyax3gwxh4fks83xx09skillvk9726j30vrn8nkyax3gwxh4fks83xx09

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments