ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Gauntlet Graph Build

v1.0.0

Build or incrementally update the code knowledge graph for a codebase. Uses Tree-sitter for multi-language AST parsing and stores nodes/edges in SQLite

0· 45·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name and description match the claimed capability (graph build with Tree-sitter and SQLite). However, the skill requests no binaries, no environment variables, and includes no code. In practice it requires python3, the gauntlet scripts, and Tree-sitter-based tooling; those requirements are not declared, which is disproportionate and inconsistent.
!
Instruction Scope
SKILL.md instructs the agent to run: python3 ${CLAUDE_PLUGIN_ROOT}/scripts/graph_build.py <dir> (and an incremental mode). That references an undeclared environment variable (CLAUDE_PLUGIN_ROOT) and a script that is not bundled or installed by this skill. The instructions therefore assume external files and env configuration; they also read/write repository files (.gauntlet/graph.db and .gauntlet/.gitignore), which is expected for this purpose but should be explicit.
Install Mechanism
This is an instruction-only skill with no install spec (low installer risk). The problem is omission rather than a risky installer: required scripts are expected to exist elsewhere but the skill does not provide instructions for obtaining or verifying them.
!
Credentials
No credentials are requested (good), but the instructions reference CLAUDE_PLUGIN_ROOT — an undeclared env var — and implicitly require python3 and likely Tree-sitter bindings. The skill should declare required env vars and binaries; referencing undeclared env state is a coherence and safety concern.
Persistence & Privilege
The skill does not request always:true, does not request persistent/system-wide changes beyond creating .gauntlet files in the repo, and does not alter other skills' configs. Its file writes (graph.db, .gitignore) are consistent with its purpose.
What to consider before installing
Do not run this skill as-is. Before installing or invoking it, verify where ${CLAUDE_PLUGIN_ROOT}/scripts/graph_build.py comes from and inspect that script: the SKILL.md expects an external Python script that is not included. Ensure python3 and any Tree-sitter bindings it needs are installed and trusted. If you plan to use the skill, either (a) install the referenced claude-night-market/gauntlet plugin from the GitHub homepage listed and confirm CLAUDE_PLUGIN_ROOT is set to that trusted installation, or (b) ask the skill author to bundle the script or declare required binaries and env vars in the skill metadata. Be cautious: running an unreviewed Python script can execute arbitrary code and will write .gauntlet/graph.db and .gauntlet/.gitignore into your repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk9734dynnfq6jybcxjghze37fn84qw7r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments