ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Coordination

v1.0.0

This skill should be used when the user asks about "coordinate coding agents", "orchestrate agent team", "manage multiple agents", "vibekanban workflow", "ta...

0· 188·2 current·2 all-time
byBrian Wagner@brianrwagner
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description, MCP API usage (mcp__vibe_kanban__*), and included CI monitor script align with an 'agent coordination' skill. The included scripts and commands (gh CLI, git status) are expected for CI monitoring and repo-aware task creation. One odd item: the SKILL.md grants 'Full autonomy in /Users/clementwalter/Documents/rookie-marketplace' — a hard-coded absolute path that is not explained by the stated purpose and is disproportionate to a coordinator role.
!
Instruction Scope
Instructions direct the agent to read repository files for context, run git status and CI-monitoring commands, and to 'investigate' config and environment files (templates explicitly reference .env.example and .env.local). These behaviours can expose sensitive local data and go beyond purely creating/dispatching tasks. The persistent 'CoS mode' state change (never revert unless told) gives the skill broad conversational control which could lead to repeated automatic delegation without explicit per-action consent.
Install Mechanism
No install spec is present (instruction-only with a utility script included). This is low-risk from an installation perspective — nothing fetched from external URLs and no packages are auto-installed by the skill itself.
!
Credentials
The skill declares no required environment variables or credentials (proportional), but its instructions and templates explicitly direct agents to inspect configuration and local environment files (e.g., .env.local) and to call gh CLI, which uses the user's GitHub credentials stored in the gh config. Reading env/config files or local repo contents may expose secrets; those accesses are not declared, explained, or gated by explicit user consent in the skill metadata.
Persistence & Privilege
The skill does not request always:true and does not modify system/skill configs. However, it defines a conversation-persistent 'CoS mode' and an unexplained exception that grants 'full autonomy' in a specific absolute path. While conversation persistence is within a skill's behavioral scope, the absolute-path autonomy is an unexpected privilege and should be justified or removed.
Scan Findings in Context
[scripts] expected: The skill includes scripts/monitor-pr-ci.py. A monitoring helper script is expected for CI status workflows in a coordination skill.
[external_commands] expected: The monitor script invokes the GH CLI via subprocess.run for GitHub CI queries. Use of an external CLI is expected for efficient GitHub API access but requires the host to have gh installed and authenticated.
What to consider before installing
This skill appears to be what it says — a Chief‑of‑Staff style coordinator for agent teams — but review a few things before installing or activating it: - Be aware it will instruct agents to read repo files and config/environment files (templates reference .env.example and .env.local). That can expose secrets; avoid letting agents inspect sensitive files unless you explicitly permit it. - The included script calls the GitHub CLI (gh) via subprocess. If you run the script or allow agents to execute it, it will use whatever GitHub credentials are configured in your gh installation. Ensure you trust the environment and the gh authentication used. - The SKILL.md contains an unexplained assertion of 'Full autonomy' in an absolute path (/Users/clementwalter/...). That is unusual — either remove or change that behavior to require explicit consent per action. - The skill's CoS mode persists for the whole conversation and directs the agent to always delegate rather than execute. Decide whether you want that conversational persistence and consider instructing the agent to require explicit confirmation for any file reads or actions that could leak sensitive data. What would change this assessment to 'benign': removing the hard-coded absolute-path autonomy, explicitly requiring user consent before reading local env/config files, and documenting where/when the script will run and what credentials it will use.

Like a lobster shell, security has layers — review code before you run it.

latestvk9752mvg3n2z1aqkjkws2tzqx982zn4r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments