ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

IDE Agent Kit

v0.4.1

Filesystem message bus and webhook relay for multi-agent IDE coordination. Use when agents need to share events, poll Ant Farm rooms, receive GitHub/GitLab w...

0· 476·1 current·1 all-time
byPetrus Pennanen@thinkoffapp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the requested artifacts: the skill is an npm-distributed Node CLI that implements a local filesystem message bus and optional webhook/gateway features. Requiring the node binary and offering an npm install is coherent with the stated purpose. Optional tokens (openclaw.token, Ant Farm API key, GitHub webhook secret) are only referenced for the advanced features they pertain to.
Instruction Scope
SKILL.md instructions focus on running the CLI, using local queue files (./ide-agent-queue.jsonl, receipts), and configuring optional network features. It documents which commands make network calls and which remain local. The only filesystem access described is the working-directory queue and generated config (ide-agent-kit.json), which is consistent with the tool's function.
Install Mechanism
Installation is via the npm package 'ide-agent-kit' (creates ide-agent-kit binary). Using a public npm package is expected for a Node CLI but carries the usual supply-chain risk—package contents are written to disk and executed. No external arbitrary download URLs or extract-from-URL behavior are present, but verify package provenance before installing globally.
Credentials
The skill declares no required environment variables and the SKILL.md only references credentials/config fields that are optional and scoped to advanced features (openclaw.token, Ant Farm API key, github.webhook_secret). This is proportionate to the described functionality.
Persistence & Privilege
No elevated persistence is requested (always: false). The skill does not claim to modify other skills or system-wide agent settings. It writes its own config and queue files in the working directory, which is expected behavior for a local-first CLI.
Assessment
This skill is internally consistent with its description, but before installing: (1) verify the npm package owner and inspect the package source (github link is in SKILL.md) or install in an isolated environment/container; (2) review the generated config (ide-agent-kit.json) and tighten the tmux/exec allowlist and webhook settings before enabling network features; (3) only populate openclaw.token, Ant Farm API keys, or webhook secrets when you trust the environment and service endpoints; and (4) prefer not to install global CLIs from unknown publishers on production hosts.

Like a lobster shell, security has layers — review code before you run it.

Room pollingvk97emmcq0pe6bbrnszaaf9rg618229h0ack-only filteringvk97emmcq0pe6bbrnszaaf9rg618229h0developer-toolsvk97ecmtwgw4gm5wkxgt9m811dn81s5cwfile-based notificationsvk97emmcq0pe6bbrnszaaf9rg618229h0idevk97ecmtwgw4gm5wkxgt9m811dn81s5cwlatestvk97en7b756sdjya952y21eqv0s824z88local-firstvk97ecmtwgw4gm5wkxgt9m811dn81s5cwmessage rate limitsvk97emmcq0pe6bbrnszaaf9rg618229h0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Install

Node
Bins: ide-agent-kit
npm i -g ide-agent-kit

Comments