clawsec-clawhub-checker

SUSPICIOUS. The skill’s purpose and capabilities mostly align: it wraps skill installation and adds security checks. Main concerns are supply-chain and transitive-trust: unpinned `npx ...@latest`, public-registry skill installs, and a setup script that patches another skill’s hooks. No clear credential harvesting, covert behavior, or off-platform data routing is evident from the provided text.