Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
adaptive-suite
v1.0.0A continuously adaptive skill suite that empowers Clawdbot to act as a versatile coder, business analyst, project manager, web developer, data analyst, and NAS metadata scraper. It intelligently discovers free resources, adapts to user context, and ensures reliable, proven guidance across multiple domains.
⭐ 3· 3.1k·11 current·13 all-time
by@afajohn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md claims many roles including a 'NAS metadata scraper' and declares required binaries (python, node, curl, sqlite3) and an env var (FREE_API_KEYS) inside its frontmatter, but the registry metadata lists no required binaries or env vars. That mismatch is incoherent. Some declared tools (python/node/sqlite3/curl) could be reasonable for building a local extractor and doing network lookups, but their presence should be reflected consistently in the public metadata and justified by the skill description.
Instruction Scope
Instructions are high-level and open-ended: 'continuously search', 'continuously learn', and 'compile a localized desktop app that scans NAS directories.' The NAS step explicitly involves reading filesystem metadata (sensitive) and the 'continuous' language grants broad discretion about what to fetch, store, or contact. The SKILL.md does not limit where network results may be sent or how long local data is kept, and it doesn't provide safety constraints or explicit consent/confirmation steps for scanning user NAS devices.
Install Mechanism
This skill is instruction-only (no install spec, no code files), so nothing is written to disk by an installer here. That reduces direct install risk. Note: because the behavior is implemented via instructions, the agent may still generate or instruct you to run code locally — those artifacts are outside the registry install step and require manual review.
Credentials
The SKILL.md requests an environment variable named FREE_API_KEYS (and lists other runtime binaries) but the registry metadata does not declare these requirements. Asking for a container variable called FREE_API_KEYS is questionable: it may contain secrets (API keys) and there is no explanation why a single 'FREE_API_KEYS' secret is needed or how it will be used/stored. Requesting unspecified credentials or a blob of API keys without justification is disproportionate.
Persistence & Privilege
The skill is not marked always:true and has no install primitives, so it doesn't demand platform-level persistence. However, the instructions repeatedly use 'continuously' and instruct creating a 'localized desktop app' — which implies potential creation of persistent artifacts on a user's machine. That persistence would happen via the agent's generated code or user-run installers, not the registry install; users should be cautious about any code the skill asks them to run.
What to consider before installing
Do not install or run this skill blindly. Ask the publisher to clarify and fix the inconsistencies: (1) why registry metadata omits the binaries/env declared in SKILL.md, (2) what FREE_API_KEYS contains and why it's needed, and (3) exactly how NAS scanning works, where data is stored, and whether anything is sent off-host. If you try it, run in a sandbox or VM, inspect any generated code before executing it, refuse to supply secret keys in a single opaque env var, and require explicit, per-operation consent before allowing any filesystem/NAS scan or network transmission.Like a lobster shell, security has layers — review code before you run it.
latestvk97bx5ye060stvr0dt74vcr1t5803e74
License
MIT-0
Free to use, modify, and redistribute. No attribution required.