ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Build

v1.0.0

The Autonomous Construction and Synthesis Engine. Standardizing the process of turning abstract intent into concrete digital and physical structures.

0· 370·2 current·2 all-time
by@agimodel
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise automated construction across software, infrastructure, hardware, and organizations. Yet the skill declares no binaries, no install, and no credentials. Real provisioning or hardware synthesis normally requires concrete tools and service credentials (cloud APIs, build toolchains, CAD tools), so the capability claims are disproportionate to the declared requirements and therefore incoherent.
!
Instruction Scope
SKILL.md contains only high-level conceptual text and no concrete runtime instructions, commands, endpoints, or constraints. That vagueness grants the agent broad discretion ("do whatever is needed to build X") which is explicitly flagged by policy as risky: open-ended instructions can lead to reading unrelated data, contacting unknown endpoints, or taking unexpected actions.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes supply-chain and disk-write risk (nothing downloaded or installed by the skill itself).
Credentials
The skill requests no environment variables or credentials (low immediate credential risk). However, given the promised capabilities, a legitimate implementation would typically require cloud/service credentials and tool access — the absence of declared credentials is a mismatch that merits caution.
Persistence & Privilege
always is false and there is no install-time persistence. The skill can be invoked autonomously by the agent (platform default). Because the skill is vague and overbroad, autonomous invocation increases operational risk, but autonomous invocation alone is expected and not a direct misconfiguration here.
What to consider before installing
This skill is conceptually broad but contains no concrete steps, tools, or declared permissions — that gap is the main risk. Before installing, ask the publisher for: (1) a clear list of actions the skill will take at runtime, (2) any external services/endpoints it will call and why, (3) what credentials or files it requires, and (4) an explicit consent/confirmation policy for high-impact actions (provisioning infra, accessing cloud accounts, writing files). If you plan to enable autonomous invocation, restrict the agent's access to secrets and require manual approval for any infrastructure- or account-changing operations. If you don't get concrete answers, treat this as an advisory/template only and avoid giving it access to cloud credentials or system-level privileges.

Like a lobster shell, security has layers — review code before you run it.

agistackvk979s2mh5e3h4f6zvhptk6wah982h5x4buildvk979s2mh5e3h4f6zvhptk6wah982h5x4createvk979s2mh5e3h4f6zvhptk6wah982h5x4devvk979s2mh5e3h4f6zvhptk6wah982h5x4latestvk979s2mh5e3h4f6zvhptk6wah982h5x4structurevk979s2mh5e3h4f6zvhptk6wah982h5x4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments