SynBO (Synthetic Bayesian Optimization)
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: synbo Version: 0.1.1 The skill bundle contains instructions in `reference/installation.md` that direct the agent to download and execute shell scripts from an external mirror (mirrors.tuna.tsinghua.edu.cn) and modify shell configuration files (`.bashrc`, `.zshrc`) to set up the environment. While these actions are plausibly required for the stated purpose of chemical optimization, the use of `curl | bash` patterns and environment persistence are high-risk behaviors. Additionally, `SKILL.md` uses highly prescriptive instructions to control agent logic and file system interactions, which increases the complexity of the prompt-injection surface.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running setup can install third-party software and modify the local Python or shell environment.
The installation guide runs a downloaded Miniconda installer and installs unpinned Python packages. This is expected for a SynBO toolchain, but it relies on external supply-chain trust.
curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/... -o miniconda.sh bash miniconda.sh -b -p $HOME/miniconda3 ... pip install qspoc pip install synbo
Use a trusted Miniconda source, verify installer checksums when possible, pin package versions, and run the environment in an isolated conda environment.
Future runs may use a previously saved project directory, so outputs could go to the wrong location if the config is stale or tampered with.
The skill persists the user's project path and project name, then reuses them on later runs. This is purpose-aligned but creates persistent local state that could become stale or be edited.
Read `config.json` located in the skill's directory... immediately write/update the `config.json` file with this format: `{"project_wd": "xxx", "project_name": "xxx"}`.Confirm the displayed project name and working directory before running optimization, and delete or edit the config file when changing projects.