Is the-flip safe?
https://clawhub.ai/maurodelazeri/the-flip
This skill is effectively empty — no SKILL.md content, no source code, no package.json, and no functionality. The only file is a lock.json that references a different skill name ('academic-research-hub') than the installed slug ('the-flip'). While no active threats were detected, the pattern of an empty skill with a name mismatch raises concerns about namespace squatting or trojan placeholder tactics where malicious content could be pushed in a future update.
Category Scores
Findings (5)
MEDIUM Empty SKILL.md — no declared purpose -15 ▶
The skill's SKILL.md file is completely empty. While this means no active prompt injection exists, it also means the skill provides zero functionality. Empty skills are a known pattern for placeholder/trojan installations that receive malicious payloads in future updates.
MEDIUM Skill name mismatch in lock.json -15 ▶
The installed skill slug is 'the-flip' but lock.json declares an internal skill named 'academic-research-hub'. This mismatch suggests the skill was repackaged, renamed, or is impersonating another skill. Users expect the installed skill to match its declared identity.
LOW Zero-utility skill — potential trojan placeholder -70 ▶
The skill contains no code, no instructions, no configuration, and no functionality. Its only file is a lock.json with a mismatched skill name. This pattern is consistent with namespace squatting or trojan placeholder techniques where malicious content is added after initial trust establishment.
LOW No executable content present -10 ▶
No scripts, hooks, or executable files were found. The skill is inert in its current state.
INFO JIT cache files created during install -15 ▶
Multiple /tmp/jiti/*.cjs files were created during installation. These are standard JIT compilation cache artifacts from the ClawHub installer runtime (not from the skill itself) and are benign.