ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Extruct API Skill

v1.0.0

Run explicit Extruct API tasks through the bundled Extruct CLI. Covers Deep Search, semantic search, lookalike search, company and people tables, column oper...

0· 12·0 current·0 all-time
by@zkid18
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and playbooks align with an Extruct CLI-based integration. However, the SKILL.md repeatedly requires a bundled CLI (<extruct_api_cli>) resolved from the skill directory, yet the manifest contains no CLI script, no required binaries, and no install step—this is an unexplained gap.
!
Instruction Scope
Runtime instructions direct the agent to run authenticated CLI commands (auth, healthcheck, deep-search, tables, columns, etc.) and to prefer absolute CLI paths from the skill directory. Instructions do not ask for reading unrelated system files, but they do instruct interactive/authenticated actions (e.g., `auth user`) that could prompt for credentials. The explicit prohibition on constructing raw HTTP requests if the CLI supports an operation means the agent is expected to rely on that (missing) CLI.
Install Mechanism
There is no install spec (lowest risk) and no code files beyond docs and playbooks. That is generally safe, but the skill's operation depends on a bundled CLI that is not present or documented—where and how that binary would appear is unspecified, which is a risk and incoherence.
Credentials
The skill declares no required environment variables or credentials. That is proportionate to an instruction-only skill. However, the runtime flow expects interactive CLI authentication (`<extruct_api_cli> auth user`), which implies credential input/storage behavior not declared in the manifest and should be clarified before use.
Persistence & Privilege
The skill is not always-on, is user-invocable, and has no install steps or modifications to other skills or system-wide settings. No elevated persistence is requested by the manifest.
What to consider before installing
Do not run or supply credentials to this skill yet. The SKILL.md expects a bundled Extruct CLI located in the skill directory, but the package you provided contains only documentation and no CLI or install instructions. Ask the publisher or platform: (1) where is the <extruct_api_cli> binary/script and how is it installed; (2) what is the exact auth flow and where credentials are stored; (3) who is the author/maintainer and is there a homepage or source repo you can vet. If you must test, do so in a sandboxed environment, verify any CLI is the official Extruct release (signed or from a trustworthy release URL), and do not enter production credentials until you confirm the binary's origin and behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk975e1cz1z9xregg3z7gxh25a5849n8j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments