Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Repo Onboarding
v0.1.0Onboard a repo by assessing architecture and dependencies, setting up roadmap and kanban for execution, and generating a comprehensive onboarding report.
⭐ 0· 317·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description (architecture intake, dependency analysis, roadmap/kanban setup) align with the actions described in SKILL.md. However, rather than embedding its own logic or referencing generic, portable tools, it calls scripts from other skills via absolute paths under /home/broedkrummen/.openclaw/workspace-cody/... — a brittle, environment-specific dependency that doesn't match a general-purpose 'repo onboarding' skill.
Instruction Scope
The SKILL.md explicitly tells the agent to run bash/python scripts located outside the target repo in a specific user's home workspace. Those scripts (not included here) will run with the caller's permissions and could read/write arbitrary files, modify system state, or exfiltrate data. The instructions also include an optional script that adds a daily cron job, which modifies system scheduling. The skill gives broad permission to execute external code without providing the script sources for review.
Install Mechanism
This is an instruction-only skill with no install spec and no code files that would be written to disk by the registry. That lowers the immediate supply-chain risk, but the instruction steps still invoke external scripts and tools on the local machine.
Credentials
The skill declares no required environment variables, credentials, or config paths. However, its instructions reference absolute filesystem locations under a specific user's home; executing those scripts would grant them access to the host environment. The declared metadata is minimal and does not reveal what those external scripts require.
Persistence & Privilege
The skill is not always-enabled and does not request persistent presence from the registry. Nevertheless, one optional instruction runs a script to add a daily cron job, which could create persistent scheduled execution. This persistence is not automatic but would be created if the user runs the optional script.
What to consider before installing
Do not run these instructions without first inspecting the referenced scripts. The SKILL.md runs scripts from /home/broedkrummen/.openclaw/... — those files are not included in this skill bundle. Before executing: (1) locate and review the contents of the referenced scripts (project_architect.py, dependency_analyzer.py, architecture_diagram_generator.py, init_repo_pm.sh, add_daily_pm_cron.sh) to confirm they do only the work you expect; (2) if you cannot review them, avoid running the absolute-path commands and instead replace them with equivalent, trusted tools or local copies stored in the repo; (3) be cautious about running the cron-install script (it creates persistent scheduled tasks); (4) run in an isolated environment (container or VM) if you need to execute unknown scripts; (5) prefer a version that uses relative paths or packaged dependencies rather than hardcoded user home directories. If the maintainer can provide the scripts' source in the skill bundle or change the commands to call well-known, inspectable tools, the risk would be much lower.Like a lobster shell, security has layers — review code before you run it.
codingvk97asjc9cdk5zhymagymgy0j3d8276pmlatestvk97asjc9cdk5zhymagymgy0j3d8276pmproductivityvk97asjc9cdk5zhymagymgy0j3d8276pm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.