Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FounderClaw

v2.1.0

FounderClaw — Multi-agent engineering team for OpenClaw. 29 skills, 6 agents (CEO + 5 departments), structured workspace, auto mode, vision sub-agent routing...

⭐ 0· 80·0 current·0 all-time

by@ashish797·fork of @ovyeddeno/gstack

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

The name/description (FounderClaw: multi-agent engineering team with a headless browser) lines up with the files and instructions: a browse daemon, 29 skills, install scripts, a Chrome extension, and many SKILL.md workflow docs. Access to local browser cookies, a local HTTP daemon, and symlinking skills into ~/.agents/skills/ are coherent with the described functionality.

ℹ

Instruction Scope

Runtime instructions require running install.sh (symlinks skills, creates ~/.openclaw/founderclaw, builds the browser binary) and the README suggests a curl|bash install option. The SKILL.md and docs explicitly describe reading Chromium cookie DBs and invoking Keychain prompts for decryption — which is consistent with a browser-testing tool but is sensitive. The package also includes a proactive suggestion system (auto-suggesting skills) and language indicating injection of ETHOS into skill preambles; these behaviors broaden what the agent will do and merit review. No instructions (in metadata) declare external endpoints beyond localhost, but the repo contains code for a Chrome extension and tests that may call LLM APIs if configured.

Install Mechanism

There is no formal install spec in registry metadata, but the package includes install.sh, build scripts, and compiled-binary build instructions. README suggests a remote curl|bash install from GitHub which is high risk unless you trust the source and inspect the script. The repo contains many executables and a browser daemon; installing without reviewing install.sh/uninstall.sh and the extension source could write files, modify config, and register services.

ℹ

Credentials

Registry metadata declares no required env vars or credentials. However, docs reference optional development/test flows that need ANTHROPIC_API_KEY and other model config; tests and LLM-eval tooling will require API keys if you run them. The code legitimately needs access to local browser cookie DBs and Keychain (decryption) for the browse skill — this is proportionate to the browse capability but sensitive. No unrelated cloud credentials are requested in metadata.

ℹ

Persistence & Privilege

always:false (no forced presence). The installer intends to symlink skills into ~/.agents/skills/ and create ~/.openclaw/founderclaw/ workspace — this is expected for a multi-skill system but does grant persistent local footprint and will modify your OpenClaw configuration per README. The skill can run autonomously (model invocation not disabled) which is platform default; combine this with the proactive suggestion behavior if you want to limit autonomous actions.

Scan Findings in Context

[system-prompt-override] unexpected: SKILL.md and ETHOS.md state that ETHOS text is injected into each workflow skill's preamble. While that explains why a 'system-prompt-override' pattern appears, any mechanism that injects content into skill preambles is a potential prompt-injection vector and should be audited. This pattern is not strictly required to provide the described features.

What to consider before installing

Before installing or running anything from this package: 1) Inspect install.sh and uninstall.sh (don't run curl | bash without reviewing). 2) Review the install steps that will symlink into ~/.agents/skills/, create ~/.openclaw/founderclaw/, and modify OpenClaw config — back up current config first. 3) Audit the Chrome extension files and browse daemon code if you care about browser privacy: the tool reads Chromium cookie DBs and uses Keychain/secret stores to decrypt cookies (you will see OS prompts). 4) If you don't want proactive/autonomous behavior, avoid enabling 'proactive' features and consider disabling autonomous model invocation for this skill or only using user-invoked flows. 5) Only provide any LLM API keys (Anthropic, etc.) if you understand which tests or features require them. 6) If you are unsure, run the package in an isolated environment (VM or throwaway account) first and verify what install.sh does. These patterns can be legitimate for a browser-driven QA/agent system, but they carry sensitive side effects and merit manual review.

✗

browse/src/bun-polyfill.cjs:67

Shell command execution detected (child_process).

✗

browse/src/cli.ts:111

Shell command execution detected (child_process).

✗

browse/src/meta-commands.ts:343

Shell command execution detected (child_process).

✗

browse/src/server.ts:26

Shell command execution detected (child_process).

✗

browse/src/sidebar-agent.ts:31

Shell command execution detected (child_process).

✗

design/src/serve.ts:226

Shell command execution detected (child_process).

✗

browse/src/cli.ts:18

Environment variable access combined with network send.

✗

browse/src/server.ts:39

Environment variable access combined with network send.

✗

browse/src/sidebar-agent.ts:16

Environment variable access combined with network send.

✗

design/prototype.ts:12

Environment variable access combined with network send.

browse/src/cli.ts:99