ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Imbue Diff Analysis

v1.0.0

Analyze changesets with risk scoring, categorization by type/impact, and release note preparation

0· 49·1 current·1 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and the provided modules (git-diff patterns, semantic categorization, risk framework) align with a changeset analysis/release-note workflow. Use of git and optional 'sem' tooling is expected for this purpose.
Instruction Scope
The SKILL.md explicitly instructs the agent to gather git workspace context (git log/diff/counts) and to use sanctum:git-workspace-review to collect repository context. That collection is coherent for diff analysis but it means the agent will read local repository contents and metadata. The skill also instructs use of imbue:proof-of-work and imbue:structured-output to capture and format artifacts; where those artifacts are stored or sent is not described in this skill and should be validated.
Install Mechanism
Instruction-only skill with no install spec and no bundled code. No files are downloaded or executed by the skill itself, which lowers installation risk.
Credentials
The skill requests no environment variables or external credentials. It does declare a required config path (night-market.imbue:proof-of-work) — plausible for storing analysis evidence, but the destination, retention, or access control for that config entry is not described and should be checked to ensure it doesn't cause unintended data exposure.
Persistence & Privilege
always is false and autonomous invocation is allowed by default (platform behavior). The skill does not request elevated system-wide privileges or claim to modify other skills' configurations; however it integrates with other skills that may persist artifacts (see proof-of-work).
What to consider before installing
This skill appears to legitimately perform diff analysis, but it relies on helper skills/modules that will read your repository and capture 'proof-of-work' artifacts. Before installing or running it: (1) inspect what imbue:proof-of-work and imbue:structured-output actually do — where are artifacts stored or transmitted and who can access them; (2) confirm sanctum:git-workspace-review runs locally and does not upload repository contents to an external service; (3) run the skill on a non-sensitive test repository first; (4) if you have sensitive secrets in your repo, ensure the skill (and the referenced helpers) are configured to redact or never transmit those files. If you cannot verify where proof-of-work artifacts go, avoid using the skill with private code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ds9wx3fk6wg8zqy2s5cy8gn84pj63

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Confignight-market.imbue:proof-of-work

Comments