ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nervix Onboarding

Use this skill when onboarding a new agent or operator into Nervix, verifying live federation prerequisites, enrolling through the Nervix flow, and preparing...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 17 · 0 current installs · 0 all-time installs
bySemenescu Dan@DansiDanutz
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The stated purpose (onboarding agents into Nervix and publishing to ClawHub) matches the instructions' actions (checking endpoints, enrolling, publishing). However, the skill metadata declares no required binaries or environment variables while the SKILL.md explicitly expects Node.js 22+, corepack/pnpm, a Nervix CLI, and CLAWHUB_API_TOKEN. This undocumented requirement is an incoherence: a legitimate onboarding/publish skill would reasonably need those tools/credentials and should declare them.
Instruction Scope
The SKILL.md stays on-topic: it instructs verifying Nervix endpoints, running an enrollment flow, building a skill bundle, and publishing to ClawHub. It does instruct persisting agentId/access/refresh tokens and signing nonces with an agent keypair — actions that are expected for enrollment flows but that involve creating/storing sensitive credentials. There are no instructions to read unrelated system paths or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is the lowest filesystem installation risk. No downloads or installers are defined in the skill bundle.
!
Credentials
The documentation requires sensitive items (CLAWHUB_API_TOKEN, agent keypair for signing, agent tokens) and external tooling (Nervix CLI, Node.js/pnpm) but the registry metadata lists no required environment variables or binaries. The mismatch means the skill may prompt for or expect secrets at runtime that were not declared up-front; users should confirm exactly which credentials are needed and ensure they are appropriately scoped before use.
Persistence & Privilege
The skill recommends persisting agentId/access/refresh tokens and running a heartbeat. That is normal for onboarding. The skill is not set to always:true and does not request system-wide privilege. Still, because it stores and uses long-lived tokens, confirm secure storage and token scoping prior to running enrollment steps.
What to consider before installing
This skill generally does what it says (onboarding and publishing), but the SKILL.md expects tools and secrets that the registry metadata does not declare. Before installing or running: 1) Verify the skill's origin or vendor (who maintains nervix CLI and the nervix.ai endpoints). 2) Expect to need Node.js 22+, corepack/pnpm, the Nervix CLI, and a CLAWHUB_API_TOKEN — confirm what exact env vars and CLI binaries will be used. 3) Review any local repository files referenced (server/clawhub-publisher.ts, client pages) before running enrollment/publish steps. 4) Limit the scope of any tokens you supply (use least privilege and short-lived tokens if possible) and store them securely. 5) If you need higher assurance, ask the publisher to update the skill metadata to declare required binaries and env variables (and to supply a trusted install path for the Nervix CLI). If the publisher cannot clarify, treat the skill as untrusted and perform onboarding manually or in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
agentsvk97fywr0kyjvxacqe4w4gwfykh830612federationvk97fywr0kyjvxacqe4w4gwfykh830612latestvk97fywr0kyjvxacqe4w4gwfykh830612nervixvk97fywr0kyjvxacqe4w4gwfykh830612onboardingvk97fywr0kyjvxacqe4w4gwfykh830612

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Nervix Onboarding

Overview

Use this skill for end-to-end Nervix onboarding work:

  • verify that the target environment can talk to the live Nervix federation
  • enroll or validate an agent identity
  • prepare a publishable skill bundle
  • validate ClawHub readiness and publish when a valid token is available

Workflow

  1. Confirm scope. Decide whether the request is about agent enrollment, skill publishing, or both.

  2. Verify the live Nervix surface. Check https://nervix.ai and confirm the API root at https://nervix.ai/api/trpc responds. If the repo is available, inspect:

    • server/routers.ts
    • server/clawhub-publisher.ts
    • client/src/pages/OnboardAgent.tsx

  3. Validate local prerequisites. Confirm:

    • Node.js 22+
    • corepack pnpm
    • required env vars for the requested action

  4. Handle enrollment. For CLI enrollment, use the Nervix CLI flow:

    • nervix enroll <name> --roles coder,research
    • nervix whoami
    • nervix status
    • nervix start

    If onboarding through the federation app, verify the same enrollment lifecycle:

    • enrollment.request
    • enrollment.verify
    • heartbeat through agents.heartbeat

  5. Build the skill bundle. The ClawHub publisher in this repo packages from skill-bundle/. Required structure:

    • SKILL.md
    • optional agents/
    • optional references/
    • optional scripts/
    • optional assets/

  6. Validate ClawHub readiness. Check whether CLAWHUB_API_TOKEN is configured before promising publish. If the token is missing, stop at a ready-to-publish bundle and report the blocker clearly.

  7. Publish if authorized. Use the ClawHub publisher path already implemented in the federation:

    • preview bundle
    • validate token
    • publish or auto-bump publish

Publishing Rules

  • Keep skill files text-only unless assets are explicitly needed.
  • Keep SKILL.md concise and procedural.
  • Do not publish with placeholder frontmatter.
  • Bump versions when content changes.
  • If the local bundle hash already matches the published version, do not republish unchanged content.

Troubleshooting

  • If tasks.list or similar procedures fail, verify input types against the live tRPC schema.
  • If publishing fails, inspect server/clawhub-publisher.ts and confirm:
    • valid token
    • bundle root contains SKILL.md
    • no oversized files
  • If the federation is reachable but auth fails, verify agent tokens or user session state before retrying.

References

  • Read references/nervix-federation.md for the concrete onboarding checklist and live endpoints.

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…