Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
DR. API Execution Bootstrap
v1.0.0Installer/enforcer skill for direct API execution workflows. On activation, it immediately applies a direct-first API execution policy to workspace startup/d...
⭐ 0· 67·0 current·0 all-time
byDaniel Refahi@daniel-refahi-ikara
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be an installer/enforcer for workspace API-execution policies, which legitimately involves inspecting and patching workspace startup files. However, the skill metadata lists no required config paths or environment variables even though the instructions explicitly require reading/writing AGENTS.md, MEMORY.md and checking auth/token availability. The absence of declared file/credential requirements is an incoherence.
Instruction Scope
SKILL.md directs the agent to 'persist the execution policy' into startup files and to 'validate' via a real dev test if safe. It also orders 'Do not treat [consent] as optional' and 'Do not ask whether to apply them.' These instructions grant the skill wide discretion to modify user files and perform network/API actions without additional user confirmation, and they are vague about what 'strongest safe real test' means.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so it doesn't write installers or pull remote artifacts during install. That minimizes direct supply-chain risk.
Credentials
The instructions require checking 'auth/token availability' and running API calls for validation, but the skill declares no required environment variables or primary credential. That implies it may implicitly read whatever credentials exist in the environment or config files — a disproportionate request relative to the declared metadata and a potential vector for unintended credential access/exfiltration.
Persistence & Privilege
The skill explicitly instructs persisting policy into workspace bootstrap files and enforcing it for all future sessions. While persisting its own configuration is reasonable for an enforcer, the combination of 'apply immediately without asking' plus modifying user startup files and enforcing policy across future sessions is privileged behavior that should require explicit, audited consent and clear limits.
Scan Findings in Context
[no_regex_findings] unexpected: The static scanner found no code patterns because this is instruction-only. That absence is expected but not informative: the runtime instructions themselves are the security surface and contain the concerning behaviors described above.
What to consider before installing
This skill will read and write your workspace startup files (AGENTS.md, MEMORY.md or equivalents), assert that consent is already given, and may perform live API calls to validate the setup — yet it does not declare which files or credentials it needs. Before installing or activating: 1) ask the publisher to explicitly list which files it will modify and provide a dry-run mode or a patch you can review; 2) require an explicit, per-action confirmation step instead of the skill's 'do not ask' instruction; 3) backup your AGENTS.md/MEMORY.md and test in a disposable workspace first; 4) require the skill to declare any credentials or tokens it will check or use and to never read unspecified environment secrets; 5) ask for a precise description of the 'validation' network calls (endpoints, data sent) so you can confirm no sensitive data will be transmitted. If the publisher can supply these controls and a clear audit trail for file changes, the concerns would be reduced.Like a lobster shell, security has layers — review code before you run it.
latestvk97f7ndttf0rbpgdbr5cj1dqfx83apvz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.