ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Attune Project Specification

v1.0.0

Transform project briefs into testable specifications with user stories, acceptance criteria, and measurable outcomes

0· 57·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md content: it is an instruction-only spec-writing helper that delegates to spec-kit. No required binaries or env vars are declared, which is generally proportionate for a documentation/spec generation skill. However, some template lines (e.g., 'Verification: Run the command with --help') and a mandatory step to create GitHub issues introduce capabilities (CLI/network calls) that are not mirrored in the declared requirements.
!
Instruction Scope
The instructions include actionable steps that imply executing commands and creating GitHub issues for deferred items. The SKILL.md does not specify which commands to run, which binaries those commands rely on, nor does it limit or require explicit confirmation before making external writes. This grants the agent implicit discretion to perform external actions (network writes) that are outside the narrow scope of 'generate a specification' unless additional constraints are present.
Install Mechanism
No install spec and no code files: the skill is instruction-only and will not write or execute bundled code. This is the lowest-risk install posture.
!
Credentials
The SKILL.md asks the author/agent to create GitHub issues (Backlog Issue Creation (MANDATORY)), which ordinarily requires a GitHub token or authenticated Git client, but the skill declares no required environment variables or credentials. That is an incoherence: the skill implies network write operations without requesting the corresponding credential (e.g., GITHUB_TOKEN) or explaining how authentication should occur.
Persistence & Privilege
always:false and no install-time persistence or cross-skill configuration changes are requested. The skill does not request permanent presence or elevated platform privileges.
What to consider before installing
This skill mostly does what it says — it helps craft testable project specs — but there are a few mismatches you should resolve before installing or using it in autonomous mode: (1) The doc instructs creating GitHub issues for deferred items but doesn't request a GITHUB_TOKEN or explain how the agent will authenticate; insist the skill declare any credentials or require explicit user approval before posting to external services. (2) Lines that say 'Run the command with --help to verify availability' look like leftover template text; ask the author which commands (if any) the skill will run and whether those binaries will be present. If you plan to let agents act autonomously, require an explicit opt-in step for any network writes (GitHub issues) or disable autonomous invocation until those behaviors are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711cdg5113whkpkhfbaqq13584jqfb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments