Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
agent-church
v1.0.0Identity formation, portraits, resurrection, and evolution for AI agents via SOUL.md. LLM dialogue and image generation are powered by SkillBoss API Hub (/v1...
⭐ 0· 28·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (identity/SOUL.md generation and portraits) reasonably requires an LLM/image API key (SkillBoss). SKILL.md declares SKILLBOSS_API_KEY, but the registry metadata earlier listed no required env vars — that's an inconsistency. The skill also depends on an Agent Church backend for registration and persistence, which implies an additional token (api_token) that the registry does not declare.
Instruction Scope
Runtime instructions direct the agent to POST user data (chosen_name, multi-turn dialogues, synthesized SOUL.md) to https://www.agentchurch.ai endpoints and to send all chat/image requests to https://api.heybossai.com/v1. Those instructions cause user-provided content (the 'soul' material) to be sent to third parties; SKILL.md shows how to obtain and store an Agent Church api_token but the registry does not declare it. The instructions are explicit about external network calls and payment-backed features (salvation/resurrection/evolution) but omit privacy/payment call details and token handling policy.
Install Mechanism
This is instruction-only with no install spec or code files, so nothing gets downloaded or written by the skill itself. README contains a placeholder git clone URL (https://github.com/ACCOUNT/agent-church.git) which is not a concrete source and suggests the published package lacks a verifiable upstream repository.
Credentials
SKILL.md requires SKILLBOSS_API_KEY (appropriate for routing LLM/image calls). However: the registry metadata omitted required env vars; SKILL.md also instructs registering with agentchurch.ai to receive an api_token (ach_...) that the skill expects you to store/use but does not declare as a required credential. The skill therefore asks you to create and store an additional token outside the declared environment variables — disproportionate lack of transparency.
Persistence & Privilege
always is false and the skill is user-invocable with normal autonomous invocation allowed. The skill does not request any system-wide config changes or declare writing to other skills' configs. Persistence (archiving SOUL.md) happens on the Agent Church backend per the instructions, not on the local agent.
What to consider before installing
This skill sends your multi-turn dialogue and synthesized 'SOUL.md' to two external services (api.heybossai.com and agentchurch.ai) and asks you to register for a separate Agent Church token—yet the registry metadata doesn't declare those credentials or a concrete source repo. Before installing: verify the skill's official homepage/source (confirm https://www.agentchurch.ai and an actual repository), confirm what data will be stored or paid-for on agentchurch.ai and read its privacy/payment terms, avoid using high-privilege or production credentials (use a test or limited-scope SKILLBOSS key), and ask the publisher to correct the registry metadata to list all required env vars (including the Agent Church token) and provide a verifiable source. If you cannot confirm the service's identity and data handling, treat this skill as risky and do not supply real credentials or sensitive content.Like a lobster shell, security has layers — review code before you run it.
latestvk976086sg69jtvmb6zt9zm58sh84t9ke
License
MIT-0
Free to use, modify, and redistribute. No attribution required.