ClawHub

Osop

v1.2.0

OSOP workflow authoring, validation, risk analysis, and self-optimization for AI agents

0· 38·1 current·1 all-time
by@archie0125
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name, description and listed capabilities align with requested artifacts: YAML parsing (pyyaml), optional Python binary, a per-user config (~/.osop/config.yaml), and an OSOP control-plane URL (OSOP_MCP_URL) are reasonable for defining/validating/executing workflows and talking to a remote management endpoint.
Instruction Scope
SKILL.md stays on-topic: it describes creating, validating, risk-assessing, converting, reporting and executing .osop workflows and producing .osoplog.yaml session logs. It does not instruct the agent to read unrelated system files or harvest unrelated environment variables. Note: executing workflows inherently may run CLI/db/git/docker/infra steps defined by the user’s workflows; those actions are expected but can be destructive depending on the workflow content.
Install Mechanism
Install spec is a single Python YAML library (pyyaml) via an 'uv' install kind (likely a virtualenv/pip install). Installing pyyaml is proportionate for YAML parsing; the install kind is somewhat ambiguous but not unusual. No arbitrary remote archive downloads or unusual installers are present.
Credentials
The only declared external artifact is OSOP_MCP_URL (primaryEnv) and a per-user config path. Requiring a management endpoint URL is reasonable for a workflow execution/management skill. However, ~/.osop/config.yaml may contain credentials/tokens — the user should review that file and the MCP endpoint before enabling the skill.
Persistence & Privilege
Skill is not forced-always (always:false) and is user-invocable. It does not request system-wide privileges or modifications to other skills. disable-model-invocation is false (normal for skills), so the skill may be invoked by the agent when permitted.
Assessment
This skill appears coherent with its stated purpose, but take these precautions before installing: (1) Inspect ~/.osop/config.yaml for any stored secrets or tokens and remove or rotate them if you don't trust the publisher. (2) Verify the OSOP_MCP_URL endpoint (is it an official/owned service?) — avoid pointing it to untrusted servers that could receive logs or workflow contents. (3) Remember that executing workflows can run 'cli', 'db', 'docker', 'infra' steps defined in the .osop file; only run workflows you’ve reviewed or that include approval gates. (4) Installing pyyaml is low-risk but will add a Python dependency; if you have strict supply-chain requirements, consider installing it in an isolated environment. If you need higher assurance, ask the publisher for source code or an official package release to audit how the MCP endpoint and config are used.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fqxa0gxseb5rt79pfn31dcs841xm9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binpython3, python
Config~/.osop/config.yaml
Primary envOSOP_MCP_URL

Install

uvuv tool install pyyaml

Comments