ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Muse

Give ClawBot access to your team's entire coding history. Muse connects your past sessions, team knowledge, and project context—so ClawBot can actually help design features, mediate team discussions, and work autonomously across your codebase. Deploy at tribeclaw.com.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 2.1k · 0 current installs · 0 all-time installs
by@alexander-morris
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md describes exactly the capability promised (searching past sessions, extracting code, syncing a knowledge base, and orchestrating autonomous agents) and uses a 'tribe' CLI to do so, which is coherent with the skill's stated purpose. However, the registry metadata provided with the skill claims no install spec, no required binaries, and no credentials, while the SKILL.md includes a moltbot metadata block that requires the 'tribe' binary and an npm install of '@_xtribe/cli'—an inconsistency that should be explained by the publisher.
!
Instruction Scope
The instructions tell the agent (and user) to run commands that can read, extract, and sync project files and session history (e.g., 'tribe extract', 'tribe kb sync', 'tribe import', 'tribe -force -all'). Those operations can upload large amounts of source code and telemetry to the remote service. The SKILL.md also instructs 'tribe login' (which will create credentials/session tokens) but does not document where session data or repo contents are stored or who can access them. The scope of data collection and transmission is broad and not fully documented in the manifest.
!
Install Mechanism
Although the registry summary lists no install spec, the SKILL.md includes an install block (npm package '@_xtribe/cli' with a postInstall of 'tribe login'). Installing an npm package from a scoped/unknown publisher is moderate risk: it's a third-party package (not a well-known release host guaranteed by the registry metadata), and the SKILL.md triggers interactive login. The mismatch between registry metadata and SKILL.md about installation is suspicious and increases risk.
!
Credentials
The registry metadata lists no required environment variables or credentials, but the SKILL.md requires 'tribe login' (implying credential storage) and commands like 'tribe kb sync' and 'tribe import' that will likely transmit repository data or tokens. The skill requests access to highly sensitive data (your team's code history) without declaring what credentials, endpoints, or token scopes are required or how they are stored/used—this is disproportionate and undocumented.
Persistence & Privilege
The skill does not request 'always: true' and does not declare changes to other skills or system-wide settings. However, because the agent can invoke the skill autonomously and the skill uses an external CLI that stores login sessions/tokens, autonomous use could give the agent the ability to access and sync large amounts of code. This combination raises the blast radius but is not itself a manifest privilege escalation.
What to consider before installing
Do not install or run this skill without vetting the upstream tooling and data flow. Specific steps to take before proceeding: - Ask the publisher for the authoritative source (repository or homepage) and compare the SKILL.md install block to the registry metadata; require them to fix the inconsistency. - Inspect the npm package '@_xtribe/cli' source (or request it) and confirm its publisher, recent releases, and what the 'tribe login' command does and where it stores tokens. - Confirm where session data and synced code are hosted (what endpoints, who controls them—tribeclaw.com is mentioned) and review their privacy/security policies and retention rules. - If you must test, run the CLI in an isolated environment (throwaway VM or container) with limited network access and limited credentials, and do not run 'tribe -force -all' or 'kb sync' until you understand what gets uploaded. - Prefer skills whose registry metadata accurately declares installs and credentials; missing or inconsistent metadata is a red flag. If you can obtain the upstream source or clearer manifest, re-evaluation could raise confidence and change the verdict.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.3.0
Download zip
latestvk976zbhfjaj7p2bxb7sv8ehva580n2s8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Muse Skill

Use the tribe CLI to access your AI coding analytics, search past sessions, manage a personal knowledge base, and orchestrate autonomous agents.

Quick Deploy

Want your own MUSE-enabled instance? Visit tribeclaw.com to deploy a fully configured instance with MUSE support in just a couple minutes.

Setup

Requires authentication: Run tribe login first. Most commands need an active session.

Telemetry

Check collection status:

tribe status

Enable/disable telemetry:

tribe enable
tribe disable

Show version info:

tribe version

Search

Search across all coding sessions:

tribe search "authentication middleware"
tribe search "docker compose" --project myapp --time-range 30d
tribe search "API endpoint" --tool "Claude Code" --format json

Sessions

List and inspect coding sessions:

tribe sessions list
tribe sessions list --cwd --limit 10
tribe sessions read <session-id>
tribe sessions search "auth fix"
tribe sessions events <session-id>
tribe sessions context

Recall a session summary:

tribe recall <session-id> --format json

Extract content from a session:

tribe extract <session-id> --type code
tribe extract <session-id> --type commands --limit 10
tribe extract <session-id> --type files --format json

Query

Query insights and sessions with filters:

tribe query sessions --limit 10
tribe query sessions --tool "Claude Code" --time-range 30d
tribe query insights
tribe query events --session <session-id>

Knowledge Base

Save, search, and manage knowledge documents:

tribe kb save "content here"
tribe kb save --file ./notes.md
tribe kb search "deployment patterns"
tribe kb list
tribe kb get <doc-id>
tribe kb tag <doc-id> "tag-name"
tribe kb delete <doc-id>
tribe kb sync
tribe kb extract

MUSE (Agent Orchestration)

Note: MUSE commands require tribe -beta. Some commands (attach, monitor, dashboard) are TUI-only and must be run manually in a terminal.

Start and manage the leader agent:

tribe muse start
tribe muse status --format json
tribe muse agents --format json

Spawn and interact with subagents:

tribe muse spawn "Fix the login bug" fix-login
tribe muse prompt fix-login "Please also add tests"
tribe muse output fix-login 100
tribe muse review fix-login
tribe muse kill fix-login --reason "stuck"

TUI-only (run these manually):

  • tribe muse attach - Attach to leader session
  • tribe muse monitor - Real-time health monitoring
  • tribe muse dashboard - Live dashboard

CIRCUIT (Autonomous Agents)

Note: CIRCUIT commands require tribe -beta. Some commands (attach, dashboard) are TUI-only.

Manage autonomous agent sessions:

tribe circuit list
tribe circuit status
tribe circuit metrics
tribe circuit spawn 42
tribe circuit next
tribe circuit auto --interval 30

TUI-only (run these manually):

  • tribe circuit attach <number> - Attach to session
  • tribe circuit dashboard - Real-time dashboard

Project Management

Import projects from AI coding assistants:

tribe import

Tips

  • Use --format json on most commands for structured output suitable for piping.
  • Use --time-range 24h|7d|30d|90d|all to scope searches.
  • Use --project <path> or --cwd to filter to a specific project.
  • Beta commands: prefix with tribe -beta (e.g., tribe -beta muse status).
  • Force sync: tribe -force (current folder) or tribe -force -all (everything).

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…