top | item 46965975

(no title)

Adding on here...

VirusTotal is flagging the trello skill as suspucious because it Does NOT include an API key? Am i expected to share my keys if I want to upload a skill?

https://clawhub.ai/steipete/trello

"Requiring TRELLO_API_KEY and TRELLO_TOKEN is appropriate for Trello access, but the registry records no required env vars while SKILL.md documents them. This omission is problematic: the skill will need highly privileged credentials but the published metadata does not disclose that requirement. The SKILL.md also references 'jq' and uses curl, but these are not declared in the registry entry."

discuss

inlustra|19 days ago

You’ve completely missed the point, it’s saying that the skill will need you to provide a Trello API key but he hasn’t declared that it will need that

Subsequently they’ve included the use of curl but also haven’t declared that either which means that it _could_ leak your key if you provide it one. That’s why it’s suspicious - virus total has flagged that you should probably review the skill.md

dpoloncsak|18 days ago

Oh, I see. Seems obvious you would need an API key in this context but I get the idea that it's an undeclared but required var, which could be shady