Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Eo Ability Dream
v1.0.0自我进化能力(Dream Module),空闲时自动分析失败案例,学习新模式,更新Pattern库
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises automatic analysis of "real work logs" and automatic updates to a Pattern Library, but the skill declares no required env vars, config paths, or binaries. A capability that reads logs and updates persistent pattern storage normally requires declared access (paths, credentials, or APIs). The lack of declared access is inconsistent with the stated purpose.
Instruction Scope
SKILL.md describes steps like "analyze recent work logs" and "update Pattern Library" but does not specify which files, endpoints, or services to read/write, nor any limits on what data may be collected or transmitted. These instructions give the agent broad, unspecified discretion to gather context and modify libraries, which is scope-creep for an instruction-only skill.
Install Mechanism
No install spec and no code files—nothing will be written to disk by the skill itself during install. This is the lowest-risk install profile.
Credentials
The skill requests no environment variables or credentials but asserts it can analyze "真实工作日志" when integrated with an EO plugin. If it needs access to other plugins' data or to system logs, those credentials/paths should be declared. The absence of declared access is disproportionate to the described functionality.
Persistence & Privilege
While 'always' is false, the skill advertises autonomous background behavior ("空闲时自动触发"). Given autonomous invocation is allowed by default, this combination means the skill could run in the background and operate on unspecified data without explicit user action. That autonomy combined with vague data access increases risk.
What to consider before installing
This skill's description and runtime instructions claim it will automatically analyze recent work logs and update a Pattern library, but it doesn't say where logs come from, where patterns are stored, or what permissions/credentials it needs. Before installing, ask the author to provide: (1) a precise data flow — which files, directories, or APIs will be read and written; (2) explicit required environment variables or config paths for any logs or pattern storage; (3) whether any data is sent to external servers and which endpoints; (4) an install or code listing so you can audit what runs; and (5) whether background/autonomous runs can be disabled or require approval. If you cannot get clear answers, run the skill only in a tightly sandboxed environment, disable autonomous invocation, or avoid installation. If you proceed, monitor file access and network traffic and restrict the agent’s permissions to only the specific logs/pattern-store it must use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ac8t4nrrsygw76ht5w6150s84c73z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.