ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Proof Agent

v1.0.1

Adversarial verification of AI-generated work. Spawns an independent verifier to check for false claims, broken code, and security issues.

0· 51·0 current·0 all-time
byacolombiadev@andreagriffiths11
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (adversarial verification) match the code and scripts: verify.sh builds a verification prompt, fact-check.sh and verifier logic run checks, and entrypoint.sh calls an external verifier (gh copilot). However the registry metadata declares no required env vars/credentials while the action and entrypoint clearly use a GitHub token / Copilot access for posting PR comments and invoking GitHub Copilot. That omission is an inconsistency (metadata understates required credentials).
!
Instruction Scope
The verification prompt and scripts include diffs, commit messages and file lists (potentially including sensitive filenames and file contents) and then pipeline sends that content to an external service via 'gh copilot'. This is coherent with the stated purpose (an external verifier) but creates a clear data-exfiltration risk: secrets or sensitive code included in diffs would be transmitted to Copilot (or any configured verifier). The SKILL.md does not provide safe-handling guidance (e.g., scrub secrets before sending) beyond detecting sensitive filenames.
Install Mechanism
There is no installer that downloads arbitrary code; all scripts and Python files are included in the repo. The runtime depends on standard CLIs (gh, gh copilot, curl, jq) and Python's pyyaml. No remote archives or opaque download URLs are used by the skill itself.
!
Credentials
The action and scripts expect a GitHub token and (per README) a Fine‑Grained PAT with Copilot Requests permissions. Those tokens grant access to repository contents and the ability to post PR comments. For the declared purpose this is plausible, but the registry metadata lists no required env vars/primary credential — an omission. Requiring a Copilot-enabled token is a high-privilege request relative to a simple verifier because it causes repository data (diffs, possibly secrets) to be sent to an external LLM service and gives write access to PRs if mis-scoped.
Persistence & Privilege
always is false and the skill does not request permanent global presence or modify other skills. It acts as an on-demand verifier integrated into actions or agent flows. Autonomous invocation is allowed by default (normal) but not additionally privileged here.
What to consider before installing
This skill implements what it claims, but you should be careful before installing or enabling it in sensitive repositories. Key considerations: - Tokens and scopes: The action and scripts expect a GitHub token / Copilot access token. Only provide a token with the minimum necessary scopes and avoid broad account-level Copilot tokens when possible. Use repository-scoped fine‑grained tokens and limit write scopes if you only need comment posting. - Data leakage: verify.sh and the verification prompt include diffs, file lists and commit messages. If secrets or sensitive data are present in those diffs, they will be sent to the external verifier (GitHub Copilot). Do not enable automatic verification on repos with secrets or PII unless you first add scrubbing or gating to remove sensitive content. - Operational test: Try the tool in a non-sensitive test repo first to observe what is sent to Copilot and what tokens are required. Confirm the 'gh' and 'gh copilot' calls behave as you expect in your environment before enabling the action on important repos. - Metadata mismatch: The skill metadata does not declare required credentials but the implementation needs them; treat the absence of declared env vars as a documentation/packaging oversight and assume you will need to supply tokens in the action inputs or environment. - Review and harden: If you plan to use this, consider adding pre-send scrubbing (remove file contents for files matching secret patterns), restrict auto-trigger conditions, and audit the tokens used to ensure they cannot be used to exfiltrate repository data beyond the verifier purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f02kbtyndhew2jc7vcx5q69846atv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments