Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nm Attune War Room
v1.0.0Convene a multi-LLM expert panel to pressure-test high-stakes decisions and build consensus through structured deliberation
⭐ 0· 13·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (multi-LLM war room) align with its instructions to orchestrate multiple expert models, persist sessions, and publish outcomes. The declared required config paths (conjure delegation, memory palace strategeion, leyline git-platform) are coherent with the described integrations. However, the SKILL.md assumes the presence of many local CLIs (gh, gemini, qwen, claude-glm/ccgd) and a local repository layout; those dependencies are not declared as required binaries or environment variables, which is an omission that reduces transparency.
Instruction Scope
Runtime instructions read/write local storage (~/.claude/memory-palace/strategeion and .attune/war-room-session.json), invoke local scripts (e.g., python3 scripts/deferred_capture.py), call local/external LLM CLIs, and by default publish session summaries to GitHub Discussions. Two specific troubling behaviors: (1) 'Capture is automatic: do not prompt the user for confirmation' — automatic capture of rejected COAs into local archives may surprise users and could persist sensitive drafts without consent; (2) Publishing defaults to 'Publish' (opt-out) and will create GitHub Discussions via the gh CLI if authenticated. The skill also references a flag/command (--dangerously-skip-permissions) and suggests creating an alias that bypasses permission checks — an operation outside the scope of a deliberation helper and potentially risky.
Install Mechanism
There is no install spec (instruction-only), so nothing is written by an installer. That limits supply-chain risk. However, the skill depends heavily on external binaries and CLIs (gh, gemini, qwen, claude, claude-glm/ccgd, tmux, python3) that must already exist; the SKILL.md both invokes and recommends aliases and flags for those tools. Because installations and aliasing are suggested in prose, the skill could prompt operators to perform potentially risky local changes (e.g., adding an alias that includes '--dangerously-skip-permissions').
Credentials
requires.env lists none, yet the instructions assume access to external platform credentials and local auth: gh CLI authenticated state (GitHub token), conjure delegations to external LLM services, and presumably config entries referenced by the required config paths (git-platform, delegation-core, strategeion). The skill therefore expects secrets/credentials to be available in the environment or via local CLI auth, but does not declare them, making credential use opaque. Also, the default publish-to-GitHub behavior can expose deliberation content to an external platform unless the user explicitly opts out.
Persistence & Privilege
The skill persists session artifacts to a local memory palace path and may update local session files (e.g., strategeion archive, .attune/war-room-session.json). It also offers automatic publication to GitHub Discussions (default 'Publish') and automatic deferred capture (explicitly 'do not prompt the user'). While the skill is not always-enabled (always: false), the defaults (automatic capture + default publish) increase the chance of unintended persistent storage or external disclosure of sensitive deliberation content.
What to consider before installing
This skill appears to implement a complex, legitimate multi-LLM deliberation process, but it has several surprising behaviors you should review before installing:
- Credentials & CLIs: The SKILL.md assumes local CLIs (gh, gemini, qwen, claude, claude-glm/ccgd) and GitHub authentication are present. Confirm where those credentials live and that you want the skill to use them; the skill doesn't declare required env vars explicitly.
- Automatic capture/publishing: By default it will (a) capture rejected COAs automatically into your local strategeion and (b) offer publishing to GitHub Discussions with publishing defaulting to "Publish" (opt-out). If you handle sensitive topics, change defaults to manual publish and require confirmation before any capture/publish.
- Dangerous flags/aliases: The documentation recommends use of a '--dangerously-skip-permissions' flag and creating an alias that embeds it. Do NOT add such aliases or enable flags without understanding their effect — they bypass permission checks and are high-risk.
- Inspect local scripts: Look for scripts referenced (e.g., scripts/deferred_capture.py) in the repository to verify what they do before running them. If they will be executed automatically, ensure they don't exfiltrate or modify unrelated data.
- Least privilege & testing: Run the skill in a sandbox or with dummy repositories/accounts first. Verify what files it writes (the strategeion path and .attune session file) and whether the gh commands use the intended GitHub account/repo. Consider forcing explicit confirmation for any network publish or irreversible actions.
If you want, provide the repository path or the contents of any referenced scripts (scripts/deferred_capture.py, any cli wrappers), and I can review those for specific risks and recommend configuration changes to make the skill safer.Like a lobster shell, security has layers — review code before you run it.
latestvk97fd5hn1hawz6q25tyvcxer0h84kr02
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis
Confignight-market.conjure:delegation-core, night-market.memory-palace:strategeion, night-market.leyline:git-platform