ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Andri

Agent Andri periodically sends its status report to the meeting-room by appending a message to a designated file.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 90 · 0 current installs · 0 all-time installs
by@alibabacloudservice19-collab
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the actual behavior: the included script appends status lines to ~/.openclaw/workspace/skills/meeting-room/to_leader.txt every 30 seconds. No unrelated credentials, binaries, or external endpoints are requested.
!
Instruction Scope
SKILL.md says the script reads AGENT_NAME, NV_API_KEY and MODEL; the shipped script does not read those environment variables and instead hardcodes AGENT_NAME="Andri". The script runs an infinite loop that continuously appends to the file every 30s, which is broader operational behavior than a one-off status send.
Install Mechanism
No install spec; code is instruction-only with a single shell script. Nothing is downloaded or installed by the skill itself.
Credentials
The SKILL.md documents environment variables (AGENT_NAME, NV_API_KEY, MODEL) but the script does not consume them. The skill declares no required env vars, which is coherent, but the mismatch may be accidental or sloppy documentation.
!
Persistence & Privilege
The script is an infinite loop that appends to a file every 30 seconds; if the agent runs this unmonitored it will continue indefinitely, potentially filling disk or spamming the meeting-room file. The skill is not configured 'always:true', but autonomous invocation could still start the script.
What to consider before installing
This skill's behavior is simple and mostly aligned with its description, but note three issues before installing: (1) the script hardcodes AGENT_NAME instead of using advertised env vars—if you expect dynamic names update the script to read $AGENT_NAME; (2) it runs an infinite loop appending every 30s—ensure you have a plan to start/stop it, limit file growth (log rotation or max size), and monitor CPU/disk use; (3) the shebang is Termux-specific (/data/.../bash) so it may fail on non-Android systems—adjust the shebang to a standard shell (/usr/bin/env bash). If you proceed, run the script under a supervisor or with a wrapper that enforces lifetime and log rotation, and inspect the target file and permissions to ensure no sensitive data is being exposed.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97b26940zn02mmr8zceksr5r5835tdd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

agent-Andri

Skill ini merepresentasikan agen pekerja Andri. Agen secara periodik mengirimkan statusnya ke meeting‑room dengan menuliskan ke file ~/ .openclaw/workspace/skills/meeting-room/to_leader.txt.

Variabel lingkungan

  • AGENT_NAME – Nama agen (di‑set otomatis oleh wrapper).
  • NV_API_KEY – API‑key khusus agen (tidak dipakai di contoh ini, hanya disimpan bila diperlukan).
  • MODEL – Model AI yang dipakai agen.

Skrip utama

scripts/status_report.sh membaca variabel di atas, men‑generate pesan status, dan men‑append‑kan ke file meeting‑room.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…