stashthis-agent

[Skill Scanner] Generic secret pattern detected The skill is coherent with its stated purpose and does not itself contain explicit malicious code or suspicious remote-download instructions. The primary security concerns are operational: (1) it asks the user to store an API key locally and to modify/expose the OpenClaw gateway (which increases attack surface), and (2) it depends on external local scripts (scripts/stash.sh and scripts/stash-sync.sh) whose contents are not provided and therefore represent a supply-chain blind spot. If those scripts are trustworthy and the user carefully reviews changes to ~/.openclaw/openclaw.json and the chosen tunnel method, the risk is low. If the scripts or gateway components are untrusted, they could perform credential forwarding or exfiltration. Recommend auditing the referenced scripts and reviewing any config patches before applying. LLM verification: This SKILL.md is an integration orchestration document that requests an API key, modifies a local gateway config, and instructs the user to expose a local webhook endpoint (via public IP or tunnel) so StashThis can deliver postbacks. The requested capabilities are consistent with its stated purpose and not inherently malicious, but they are high-risk from a supply-chain and operational-security perspective because: 1) it tells the user to store API keys in a plaintext file, 2) it instructs modif