ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Overstory Integration

v1.0.0

Integrates overstory Claude Code agent swarm with nanobot orchestrator. Manages agent lifecycle, SQLite mail bridge, and git worktree coordination.

0· 328·0 current·0 all-time
by@austindixson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description require managing overstory agents, a mail bridge, and worktrees. The package only asks for the overstory CLI, git, and tmux (declared in SKILL.md and reflected in the wrapper), which are proportionate to the described functionality.
Instruction Scope
SKILL.md and the scripts focus on spawning agents, inspecting logs, managing a local SQLite mail DB, and manipulating git worktrees. The code creates ~/.nanobot and .overstory/mail.db (or workspace/.overstory) and runs subprocesses (overstory, git). This is expected, but the skill will modify repository state (worktree remove) and spawn tmux sessions via the overstory CLI, so run with care in important repos or production hosts.
Install Mechanism
Instruction-only skill with bundled Python scripts; no external installer or remote downloads. No install-time network fetches or URL-based archive extraction are present in the provided material.
Credentials
No required secrets or unrelated environment variables. Optional env vars (OVERSTORY_BIN, OVERSTORY_WORKSPACE) are declared and used by the code.
Persistence & Privilege
Skill is not marked always:true and does not modify other skills or global agent configs. It operates on its own local DBs and workspace paths only.
Assessment
This skill appears to do what it claims: it will create and use local SQLite DB files (~/.nanobot/agent_lifecycle.db and workspace/.overstory/mail.db), run the overstory CLI (which spawns tmux sessions), and run git commands that can remove worktrees. Before installing or running: 1) Inspect the full, untruncated source files in the package (the provided mail_bridge snippet was truncated in the listing) to confirm there are no hidden behaviors. 2) Ensure the overstory CLI binary you point to is trusted; this wrapper executes it directly. 3) Back up any important repositories or run in an isolated workspace, since cleanup/remove worktree operations can modify or remove worktrees. 4) If you need to limit risk, run the scripts with non-privileged user accounts or in a container/VM. If you want higher assurance, provide the complete untruncated files so I can re-check for hidden/exfiltration code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ft3pp8wgxvqknksqdt90h5h8206s3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments