ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agent-orchestration

v1.0.0

Master the art of spawning and managing sub-agents. Write prompts that actually work, track running agents, and learn from every outcome. Part of the Hal Sta...

0· 29·0 current·0 all-time
by@abeltennyson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's content (templates, tracking, orchestration guidance and a SkillBoss API example) is coherent with an 'agent orchestration' purpose. However the SKILL.md declares a required environment variable (SKILLBOSS_API_KEY) and calls an external API (api.heybossai.com / skillboss.co) while the registry metadata provided to you lists no required env vars and the package source/homepage are unknown — an inconsistency that should be resolved with the publisher.
Instruction Scope
SKILL.md stays within orchestration/templating scope (prompt layers, spawn/heartbeat procedures, templates for builder/research/review agents). It does include actionable examples that call an external API (SkillBoss) and references running local commands (e.g., sessions_list, npm/node usage) and file paths (e.g., /Users/Hal/...). Those are plausible for orchestration tooling but expand what the agent may do at runtime (network calls and filesystem writes).
Install Mechanism
Instruction-only skill with no install spec and no code files to execute — low install risk. README contains a git clone example but points at a placeholder GitHub URL (https://github.com/ACCOUNT/...), indicating packaging/publishing may be incomplete.
!
Credentials
SKILL.md requires SKILLBOSS_API_KEY (used in an example to call https://api.heybossai.com/v1/pilot). Requesting a single API key for an external model-routing service is proportionate to the skill's advertised model-selection capability — but the registry metadata shown to you did not list any required env vars. That mismatch (undeclared required credential) is a red flag and should be clarified before you provide any secret. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' and does not claim to modify other skills or system-wide configs. The default autonomous invocation is allowed (platform default) — combine this with the environment concerns if you plan to give it an API key.
What to consider before installing
Before installing: 1) Confirm the SKILL.md requirement for SKILLBOSS_API_KEY with the publisher — the registry metadata you saw omitted that key. 2) Verify the external endpoints (skillboss.co and api.heybossai.com) are trustworthy and that the API key you supply can be scoped/rotated; avoid reusing high‑privilege keys. 3) Note the README contains placeholder repo URLs — prefer skills with a verifiable source repo or homepage. 4) Expect the skill to make outbound requests and to suggest running local commands (sessions_list, npm/node), and potentially write files in your workspace; run it in a sandboxed environment or with minimal privileges first. 5) If you need higher assurance, ask the publisher for a signed package/repo link and clarification of env var requirements; if you cannot verify the endpoints or the publisher, treat the skill as untrusted and do not supply secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d7xeckp5rw62n4f861wht3d84vnh1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments