Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Synapse Code
v2.0.1Synapse Code — 智能代码开发工作流引擎。 一体化完成项目初始化、代码交付、知识沉淀和影响分析。 内建代码图谱引擎,越用越懂你的项目。 当用户提到开发、实现功能、运行 pipeline、记录知识、检查影响范围时使用此技能。
⭐ 0· 187·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
medium confidencePurpose & Capability
Name and description (code workflow, pipeline, code-graph/impact analysis) match the declared requirements: python3 and npm and an npm dependency 'gitnexus' (used as the code-graph engine). The files and scripts (init, run_pipeline, auto_log, query_memory, etc.) are appropriate for the stated functionality.
Instruction Scope
SKILL.md and the bundled scripts operate on project directories (.git, .synapse/, .knowledge/), create pipeline artifacts, and persist pipeline summaries and memory (e.g., pipeline_summary.json, Brain state.json, .synapse). That behavior fits the claimed purpose, but the skill automates writing project memory and invoking GitNexus; review scripts for any network calls or unexpected reads/writes before granting access to sensitive repos. The instructions do not request unrelated system credentials in the SKILL.md itself.
Install Mechanism
Install spec installs an npm package 'gitnexus' and provides an install.sh included in the bundle. npm installs are a normal way to include a code analysis CLI, but npm packages run code at install time and can have postinstall scripts—inspect package.json and install.sh. Overall install mechanism is expected for the functionality but carries the usual moderate risk of unreviewed npm packages and install scripts.
Credentials
The skill does not request environment secrets or config paths in the registry metadata. Its operations (project init, local memory writes, running GitNexus) do not require cloud credentials by default. The SKILL.md references config.json and pipeline workspace paths (which may contain user config), so only provide credentials/config if you understand how they will be used.
Persistence & Privilege
always:false and no special platform privileges. The skill writes project-local artifacts (.synapse, .knowledge, pipeline workspace files, /tmp/pipeline_summary.json) and may install a gitnexus binary in the skill directory—this is consistent with a pipeline/agent skill. It does not request to modify other skills or system-wide agent settings in the manifest.
Assessment
This skill appears consistent with its stated purpose (a multi-agent pipeline + knowledge tool). Before installing: 1) Inspect install.sh and package.json for network calls or npm postinstall scripts; 2) Verify the npm package 'gitnexus' origin and reputation (it will be installed into the skill and exposes a 'gitnexus' binary); 3) Run the install and first runs in an isolated environment (container or throwaway VM) if you want to avoid accidental writes to important projects; 4) Note the skill will create and write .synapse/.knowledge and pipeline artifacts (and may read project files under the supplied project path) — do not point it at sensitive repos unless you trust it; 5) If you plan to enable cross-service integrations (Telegram/Feishu/remote scraping), only provide API keys after reviewing where they are stored and sent. If you want extra assurance, share the install.sh and package.json for a targeted review.Like a lobster shell, security has layers — review code before you run it.
latestvk971vmb6z06nac5nj08p7zsct584w68j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
Binspython3, npm
Install
Node
Bins: gitnexus
npm i -g gitnexus