Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Adapter Audit
v1.0.0Use this skill to audit CLI adapter projects (like opencli) for missing output fields, then batch-generate fixes and submit PRs. Turns AI agents into adapter...
⭐ 0· 32·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes scanning, modifying adapters, running build/tests, and submitting a PR — all coherent with an 'adapter-audit' purpose. However the registry metadata claims no required binaries or env vars, which is inconsistent: practical execution requires tools like git, node/npm (for npm run build/test), and a mechanism/credential to push branches and open PRs (e.g., GITHUB_TOKEN).
Instruction Scope
Instructions stay on-topic (scan repository files, add fields, run build/test, create a PR). They do not instruct reading unrelated system files or exfiltrating data. Missing are explicit, deterministic steps for authentication and for whether changes should be pushed to a fork or upstream — giving the agent broad discretion about push/PR targets.
Install Mechanism
This is an instruction-only skill with no install spec or code files; that reduces installer risk because nothing is written by the skill package itself.
Credentials
No credentials or environment variables are declared even though the skill's primary function (submitting PRs) typically requires repository write access or a GitHub token. The absence of declared required auth is a mismatch and could result in the agent attempting to use ambient credentials or prompting the user for secrets at runtime.
Persistence & Privilege
The skill is not always-enabled. It will modify local repository files and run build/test commands in the user's workspace — normal for this purpose, but potentially impactful. Because the agent can act autonomously (platform default), if the agent has push privileges the skill could create branches/PRs; the skill itself does not request persistent privileges or alter other skills.
What to consider before installing
This skill is instruction-only and seems designed to edit your repository and create PRs, but the package metadata omits practical requirements. Before installing or running it: 1) Treat it as a tool that will modify your workspace — run it on a fork or disposable branch. 2) Expect it to need git, node/npm (to run npm run build/test), and a GitHub auth method (GITHUB_TOKEN or SSH key) to push and open PRs; ask the publisher which credentials are required and how they are used. 3) Provide least-privilege credentials (e.g., a token scoped only to repo creation/PR for a specific repo or use a fork workflow). 4) Confirm whether the agent will push to upstream or to your fork and whether it will force-push. 5) If you cannot safely provide push credentials, consider running the audit in 'dry-run' mode: have the agent generate patch files or a local branch only, then review and push manually. 6) Ask the publisher to update the skill metadata to declare required binaries and environment variables and to document authentication and PR target behavior. If you cannot get these clarifications, treat the skill as potentially risky and prefer manual or sandboxed execution.Like a lobster shell, security has layers — review code before you run it.
latestvk97622tf5bcvtsfqp7zqwg7qfx844d87
License
MIT-0
Free to use, modify, and redistribute. No attribution required.