Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Automatic Skill
v1.1.9Automatic Skill is a self-evolving meta-skill that lets openclaw (and Claude) autonomously design, build, test, and publish a brand-new skill every day — wit...
⭐ 0· 68·0 current·0 all-time
byCosmos Fang@cosmofang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and scripts clearly require git/gh/clawhub and environment variables (GITHUB_TOKEN, GITHUB_REPO, CLAWHUB_TOKEN, etc.) to publish generated skills, but the registry-level metadata shown at the top of the package lists no required env vars or binaries. That mismatch is incoherent — anyone installing from a registry entry would not see the sensitive permissions this skill actually needs. The publishing and cron-management capabilities themselves are consistent with the skill's stated purpose (a skill factory), but they legitimately require sensitive credentials which must be declared upfront.
Instruction Scope
The runtime instructions and scripts instruct the agent to scan local skill directories, generate full skill source trees, run tests, commit and push to GitHub, publish to ClawHub, poll external scans, and (via scan-fix loop) automatically modify code and re-publish to achieve a 'clean' rating. These actions go beyond simple prompt generation: they read/write local files, manage pipeline state, and interact with external services. The 'auto-fix to avoid scanner triggers' behavior is especially broad and potentially deceptive.
Install Mechanism
There is no install spec (no external downloads), so nothing arbitrary is fetched at install time. However, the package includes many executable scripts that will be run locally; absence of an installer reduces supply-chain risk but does not eliminate runtime risk because the packaged scripts perform file I/O and call external CLIs.
Credentials
The SKILL.md requires a GitHub personal access token with repo write permission and a ClawHub token (and expects binaries like gh/git/clawhub). Those credentials are necessary for the stated publish functionality, so they are understandable — but they are high‑privilege secrets. Critically, the registry metadata does not declare these env vars, so a user may not realize how much access they are granting. The skill also accepts an optional notify channel (e.g., slack://...) which could leak pipeline details externally if set.
Persistence & Privilege
always:false is set (good) but the skill is designed to be scheduled (cron) and can be enabled via push-toggle instructions. Since the skill can autonomously create, modify, and publish code to external repositories and re-run itself daily, autonomous invocation combined with publishing credentials increases the blast radius. The pipeline also instructs automatic repairs to evade scanners and re-publishing loops — a powerful self‑modifying behavior that warrants caution.
Scan Findings in Context
[ENV_VAR_USAGE_PROCESS_ENV] expected: Multiple scripts read process.env.* (e.g., create.js uses process.env.CLAWHUB_OWNER_ID). Reading env vars is expected for a publisher but should be explicitly declared in registry metadata and limited to the minimal scopes needed.
[REGISTRY_METADATA_MISMATCH] unexpected: SKILL.md lists required binaries and environment variables (gh, git, clawhub, GITHUB_TOKEN, GITHUB_REPO, CLAWHUB_TOKEN) but the registry summary at the top reports 'Required env vars: none' and 'Required binaries: none'. This is an incoherence that hides required privileges from the installer.
[AUTO_PUBLISH_AND_SELF_MODIFY] expected: The pipeline includes upload.js steps to commit/push and a scan-fix loop that applies code modifications to avoid scanner triggers. Auto-publishing is consistent with the skill purpose but combined with auto-fixing to evade scanners is risky and worth manual review.
What to consider before installing
Do not enable or provide tokens until you audit the code and decide to trust it. Specific steps:
- Verify registry metadata vs SKILL.md: confirm required env vars and binaries are declared and understood.
- Inspect scripts/upload.js and scripts/scan-fix.js (and any file that runs gh/git/clawhub) to confirm exactly what will be committed and pushed. Ensure there is no arbitrary remote endpoint or hidden push target.
- If you must run it, use a throwaway/limited-scope GITHUB_TOKEN (restrict to the single repo and minimal permissions) and a ClawHub token with minimal scope; do not reuse personal/global credentials.
- Run locally in dry-run mode first (pipeline --dry-run) and in an isolated workspace; do not enable cron until comfortable.
- Consider not supplying tokens or not running upload stage; keep SKILL_OUTPUT_DIR pointed at a sandbox directory you control.
- Be cautious about the scan-fix auto-edit loop: it can rewrite code and re-publish. Prefer manual review of any generated fixes before re-publishing.
- If unsure, classify this skill as high‑privilege: require code review by someone who can audit the upload/auto-fix behavior before granting publishing credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97678fhhrpm6z6s9rxfrfjxy1849my7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Environment variables
GITHUB_TOKENrequired— GitHub personal access token with repo write permission.GITHUB_REPOrequired— Target repo in owner/repo format, e.g. zezedabaobei/openclaw-skillsCLAWHUB_TOKENrequired— ClawHub API token for publishing skills.CLAWHUB_OWNER_IDoptional— ClawHub ownerId (defaults to kn79bebfnwg15sb0g7cj5z5nyd83gxh0).SKILL_OUTPUT_DIRoptional— Where generated skills are written. Defaults to ~/.openclaw/workspace/skills.OPENCLAW_NOTIFY_CHANNELoptional— Notification channel for pipeline failure alerts.