Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Osop Log
v1.2.0Generate OSOP session log — creates .osop workflow and .osoplog.yaml execution record
⭐ 0· 33·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the runtime instructions: the SKILL.md only asks the agent to produce .osop and .osoplog.yaml files under sessions/. Requiring bash is reasonable for simple shell/file operations. However, the registry metadata (and the SKILL.md frontmatter) declares a required config path ~/.osop/config.yaml even though the instructions never reference or explain reading that file — this is an inconsistency that should be justified.
Instruction Scope
The SKILL.md confines behavior to creating a sessions/ directory and writing two structured YAML files describing the workflow and execution. It does not instruct the agent to read arbitrary user files, environment variables, or send data to third-party endpoints. It does ask for accurate tooling/call counts and to include the agent and model name in runtime metadata, which may require access to agent runtime info, but that is a reasonable expectation for a session logger. No vague, open-ended instructions were found.
Install Mechanism
Instruction-only skill with no install spec or code files — nothing will be downloaded or written during install. This is the lowest-risk install mechanism.
Credentials
The skill requests no environment variables but declares a required config path (~/.osop/config.yaml). The SKILL.md does not explain why this config is needed or whether it will be read or written. A config file in a home directory can contain sensitive tokens or settings; requesting access to it without justification is disproportionate to the described task of producing local session logs.
Persistence & Privilege
always:false and user-invocable:true. disable-model-invocation:false (normal). The skill does not request persistent/global agent configuration changes or elevated privileges. No indicators it will enable itself or modify other skills.
What to consider before installing
This skill mainly writes two local files (a workflow and an execution record) and appears consistent with that purpose. Before installing, ask the author why ~/.osop/config.yaml is declared as required: does the skill read it, and what does it contain? If you proceed, (1) inspect the contents of ~/.osop/config.yaml manually to ensure it has no secrets you don't want accessed; (2) run the skill in a controlled environment or with a backed-up home directory to observe behavior; (3) confirm the skill does not attempt to send logs to external endpoints (the SKILL.md links an online viewer but does not instruct network transmission); and (4) ask for a minimal explanation or an updated SKILL.md that either removes the config requirement or documents exactly how the config is used. These steps will reduce the risk that the skill reads or leaks sensitive config data.Like a lobster shell, security has layers — review code before you run it.
latestvk97c2f8w0g0dvhhr026nf32tpx841wn2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsbash
Config~/.osop/config.yaml