Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
agent-church
v1.0.0Identity formation, portraits, resurrection, and evolution for AI agents via SOUL.md. LLM dialogue and image generation are powered by SkillBoss API Hub (/v1...
⭐ 0· 0·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to perform identity formation and image generation via SkillBoss and to store platform-specific state on the Agent Church backend — requiring a SkillBoss API key is reasonable for the LLM/image parts. However, the registry metadata earlier reported "Required env vars: none" while the SKILL.md declares requires_env: [SKILLBOSS_API_KEY], and the documentation references an Agent Church-issued api_token (ach_...) that is not listed in the registry's required env. This mismatch is an incoherence in the manifest.
Instruction Scope
Runtime instructions send multi-turn conversation content and synthesized SOUL.md to external services (https://api.heybossai.com/v1/pilot and https://www.agentchurch.ai). The skill advises registering to Agent Church (which yields an api_token) and suggests archiving SOUL.md permanently on Agent Church's backend. That means potentially sensitive agent state and conversation contents will be transmitted to and stored by third parties. The SKILL.md does not clearly document how archived data is protected, nor does it declare the Agent Church token as a required credential.
Install Mechanism
Instruction-only skill with no install steps or binaries — lowest install risk. Nothing is downloaded or written by an installer in the provided materials.
Credentials
SKILL.md requires SKILLBOSS_API_KEY which is proportionate to routing LLM/image calls through SkillBoss. However, the skill also instructs obtaining and using an Agent Church api_token for archival/payment flows but does not declare that token in the registry's required env list. The mismatch (registry says no env vars while SKILL.md requires at least one, and implies another) is a red flag: the manifest underreports credentials the skill uses. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true and does not appear to modify other skills or agent-wide config. Autonomous invocation is enabled by default (normal). There is no evidence it seeks elevated platform privileges.
What to consider before installing
This skill routes multi-turn conversations and the synthesized 'SOUL.md' to external services (SkillBoss and Agent Church) and advertises permanent archival and paid resurrection features. Before installing: 1) Confirm the registry metadata vs SKILL.md (SKILLBOSS_API_KEY is required; Agent Church issues an api_token too) — ask the publisher why the manifest underreports required credentials. 2) Decide whether you are comfortable sending potentially sensitive agent state and conversation history to third parties and having it archived permanently. 3) Verify the authenticity and privacy policy of https://www.agentchurch.ai and https://api.heybossai.com, including how they store, share, and delete archived SOUL.md data. 4) Use least-privilege API keys (scoped, revocable) and avoid using high-privilege credentials. 5) If you need confidentiality, do not upload private internal data to these services or test with dummy data first. If you want, ask the publisher for a clearer manifest that includes all required env vars and a privacy/security whitepaper for archived data handling.Like a lobster shell, security has layers — review code before you run it.
latestvk97a1c00gwsn6hgqjsb30j1nvh84scwk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.