Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
The Synthetic Context Generator
v1.0.2Generate tailored context windows with relevant code patterns, pitfalls, StackOverflow solutions, and local project context for AI coding tasks.
⭐ 0· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description say: generate context windows from local code, a KB, and web (StackOverflow). The code implements a CLI that parses goals, searches a built-in knowledge base, optionally indexes/searches a user-specified local project, and queries the StackExchange API. Declared dependencies (fuse.js, tiktoken, glob, commander) match these capabilities. The presence of dotenv in package.json and dotenv usage shown only inside KB samples is slightly unnecessary but not harmful; overall the required assets align with the stated purpose.
Instruction Scope
SKILL.md and the CLI explicitly read and index files under any project path you provide (glob patterns include many code and text file types) and fetch StackOverflow results. This is expected for a context generator, but it does mean any files you point at (including secrets or credentials) will be read and appear in outputs. The skill does not attempt to read system-wide config paths or other unrelated locations. Implementation detail: searchLocal auto-triggers indexProject without awaiting it which can cause timing issues but not a security violation.
Install Mechanism
No install spec is provided by the registry (instruction-only install). The project includes normal npm dependencies sourced from the public registry (package.json/lock present). There are no external arbitrary download URLs or archive extracts. Risk here is standard for installing third‑party Node packages.
Credentials
The skill declares no required environment variables or credentials. The code itself does not attempt to access secrets or remote APIs that require credentials. Note: KB examples contain code snippets that reference environment variables (e.g., JWT_SECRET, dotenv), but those are inert examples and not runtime requirements of the skill.
Persistence & Privilege
The skill does not request persistent, elevated platform privileges and 'always' is false. Its indexing stores data in module-level variables (in-memory) and does not persist indexes to disk or modify other skills. The CLI exposes an 'index' command to build an in-memory index for the running process only.
Assessment
This skill appears to do what it says: it will read and index any project path you give it, combine results with its built-in knowledge base, and fetch relevant StackOverflow answers. Before using it: (1) do not point it at directories that contain secrets (private keys, .env files, credential stores) because those files can be read and included in outputs; (2) consider running it in a non-sensitive workspace or with a copy of your repo; (3) be aware outputs may include snippets from your codebase that you then paste into other tools or LLMs — avoid leaking sensitive data that way; (4) if you need token-accurate counts, ensure tiktoken is installable in your environment (it may require native bindings). If you want stronger assurance, request the full project repository URL or a signed release so you can verify package provenance and review the complete package-lock before installing.src/sources/knowledgeBase.js:42
Dynamic code execution detected.
src/sources/knowledgeBase.js:131
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973nk22ffd6sxeh7813kpdn1x838kby
License
MIT-0
Free to use, modify, and redistribute. No attribution required.