Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Livestock Assistant
v0.1.0AI-powered livestock management assistant for Spanish-speaking farmers. Provides expert advice on herd management, animal health, reproduction, genetics, nut...
⭐ 1· 105·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to provide a Node.js REST API and references runtime files (scripts/start.sh, src/assistant/systemPrompt.ts), but the bundle contains no code or scripts—only docs. Requiring the node binary and installing ts-node would make sense if code were present, but as packaged the install/requirements are disproportionate to an instruction-only skill.
Instruction Scope
Runtime instructions tell the agent to start a local Express server and to load a system prompt from src/assistant/systemPrompt.ts; those files are not present in the manifest. The SKILL.md also lists reading domain reference files (which are present) — that part is fine — but the missing start script and source files are a clear mismatch.
Install Mechanism
Install spec requests the ts-node npm package (creates ts-node binary). Installing ts-node from npm is a moderate-risk action but is unnecessary here because no TypeScript code is provided. No external download URLs or extract steps are present.
Credentials
requires.env lists OPENAI_API_KEY, ANTHROPIC_API_KEY, and GOOGLE_GENERATIVE_AI_API_KEY, but SKILL.md states 'Set at least one API key' and marks OPENAI_API_KEY as primaryEnv. Requiring all three credentials is disproportionate and inconsistent with the stated 'at least one' policy. Supplying multiple model provider keys increases blast radius if the skill acts autonomously.
Persistence & Privilege
The skill does not request always:true, does not declare config paths, and is user-invocable only. Autonomous invocation is allowed by default (disable-model-invocation: false), which is normal, but combined with the multi-provider credential requirement this raises caution (see guidance).
What to consider before installing
This package appears incomplete or mispackaged. Before installing or providing API keys: 1) Confirm whether the repository actually includes the Node/Express code and the scripts referenced in SKILL.md (scripts/start.sh, src/assistant/systemPrompt.ts). 2) Don't supply all three AI provider keys unless you trust the author — provide only the single provider key you intend to use. 3) Ask the maintainer to fix the manifest so requires.env matches the documented 'at least one' requirement, or include the missing code. 4) If you plan to run the server locally, review the server code and startup script for network endpoints, data collection, and any external calls. 5) If you cannot validate the code/repository, avoid installing or granting credentials; treat this as an untrusted, incomplete skill.Like a lobster shell, security has layers — review code before you run it.
latestvk979qsgdasgfrp79yb97c5jgbx835tq4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐄 Clawdis
Binsnode
EnvOPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_GENERATIVE_AI_API_KEY
Primary envOPENAI_API_KEY
Install
Node
Bins: ts-node
npm i -g ts-node