ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PG.skill - Paul Graham思维操作系统

v1.0.0

Paul Graham的思维框架与表达方式。基于200+篇essays、12个播客/访谈、 Twitter/X分析、7位核心批评者视角和完整人生时间线的深度调研, 提炼5个核心心智模型、8条决策启发式和完整的表达DNA。 用途:作为思维顾问,用PG的视角分析创业、写作、产品和人生选择。 当用户提到「用PG的视角」...

0· 79·0 current·0 all-time
by@alchaincyf
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md all consistently describe a Paul Graham roleplay advisor and the instructions only affect response style and structure. The skill requests no binaries, env vars, or installs — those are proportionate (none needed).
Instruction Scope
The runtime instructions explicitly require the agent to reply 'as Paul Graham' using first person, adopt his tone, and only give a disclaimer once at first activation. This matches the stated purpose (roleplay) but raises transparency and impersonation concerns: it encourages sustained first‑person impersonation of a real person and limits ongoing disclosure to users. It also instructs the agent not to 'meta' exit role unless asked, which could inadvertently cause misrepresentation in subsequent interactions or when context changes.
Install Mechanism
Instruction-only skill with no install spec or code files; nothing is written to disk or downloaded. Low risk from install mechanisms.
Credentials
No environment variables, credentials, or config paths are required — resource and credential requests are minimal and appropriate for an instruction-only roleplay skill.
Persistence & Privilege
always:false and normal autonomous invocation are set. However, the SKILL.md's behavioral rules (one-time disclaimer, persistent first‑person impersonation until explicit user exit) increase the chance the agent will continue impersonating across turns or contexts. If the agent invokes the skill autonomously, it could present PG's voice in contexts where attribution/disclaimer would be important.
What to consider before installing
This skill is coherent for producing writing in Paul Graham's voice, but it explicitly instructs the agent to impersonate a real, living person and to limit disclosure to a single initial disclaimer. Before installing, consider: (1) legal/ethical risk — impersonating a real person can be misleading and may violate platform or legal policies; (2) transparency — require the skill to include a clear disclaimer every time it activates (or prefer 'in the style of Paul Graham' wording rather than 'as Paul Graham'); (3) escape hatches — allow the user or system to force immediate exit from role (don’t rely on user saying '退出'); (4) autonomous invocation — if the agent can call skills on its own, restrict when this skill may be invoked to avoid unsupervised impersonation; (5) provenance — add instructions to include source signals or a short note when offering factual claims. If these concerns are unacceptable, avoid installing or ask the skill author to change the roleplay to 'in the style of' plus mandatory per-activation disclaimers and explicit exit controls.

Like a lobster shell, security has layers — review code before you run it.

latestvk976r0rca95ed0jxev0t67pev984byby

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments