ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Osop Optimize

v1.2.0

Analyze .osoplog execution history to optimize workflows — finds slow steps and parallelization opportunities

0· 31·1 current·1 all-time
by@archie0125
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and description match the SKILL.md instructions (read .osop file, find .osoplog.yaml files, analyze, propose edits). However the registry metadata declares a required config path (~/.osop/config.yaml) that the SKILL.md never references. Requiring a user config file in home (~/.osop) is not obviously necessary for the described task and is an unexplained access request.
Instruction Scope
The SKILL.md stays on-topic: it reads the provided .osop file and nearby sessions/*.osoplog.yaml, aggregates stats, generates suggestions, shows a diff, and applies changes only if the user approves. It does instruct writing changes to the user's .osop file (with user confirmation) — this is expected behavior but users should review diffs. The instructions do not mention reading ~/.osop/config.yaml despite it being declared required.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest-risk install surface (nothing is downloaded or written at install time).
!
Credentials
No environment variables or credentials are declared, which is appropriate. However the explicit requirement of ~/.osop/config.yaml is disproportionate because the runtime instructions never justify reading that file. That config may contain tokens, endpoints, or other sensitive settings — requesting it without explanation is a red flag.
Persistence & Privilege
always:false and user-invocable:true (default autonomous invocation allowed) — no elevated persistent privileges requested and the skill does not claim to modify other skills or global agent settings.
What to consider before installing
This skill appears to do what it claims, but it asks for access to ~/.osop/config.yaml without explaining why. Before installing or running it: 1) Ask the publisher why the config file is required and what data from it is used. 2) Inspect ~/.osop/config.yaml yourself (or provide a copy of it stripped of secrets) to see if it contains API keys, tokens, or endpoints. 3) Run the skill first on a copy of your .osop file and logs (not production files) and confirm the diff before applying changes. 4) If you don't want the skill to read your home config, see if the skill author will remove that requirement or allow providing any needed settings explicitly. 5) Because this is an instruction-only skill with no code to inspect, prefer running it in a safe/test environment until the author clarifies the config usage.

Like a lobster shell, security has layers — review code before you run it.

latestvk976gtvsq3prd5s1wn2xvyx6pd8400jv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbash
Config~/.osop/config.yaml

Comments