Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Nervix Onboarding
v1.0.0Use this skill when onboarding a new agent or operator into Nervix, verifying live federation prerequisites, enrolling through the Nervix flow, and preparing...
⭐ 0· 145·0 current·0 all-time
bySemenescu Dan@dansidanutz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (onboarding agents into Nervix and publishing to ClawHub) matches the instructions' actions (checking endpoints, enrolling, publishing). However, the skill metadata declares no required binaries or environment variables while the SKILL.md explicitly expects Node.js 22+, corepack/pnpm, a Nervix CLI, and CLAWHUB_API_TOKEN. This undocumented requirement is an incoherence: a legitimate onboarding/publish skill would reasonably need those tools/credentials and should declare them.
Instruction Scope
The SKILL.md stays on-topic: it instructs verifying Nervix endpoints, running an enrollment flow, building a skill bundle, and publishing to ClawHub. It does instruct persisting agentId/access/refresh tokens and signing nonces with an agent keypair — actions that are expected for enrollment flows but that involve creating/storing sensitive credentials. There are no instructions to read unrelated system paths or exfiltrate data to unexpected endpoints.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is the lowest filesystem installation risk. No downloads or installers are defined in the skill bundle.
Credentials
The documentation requires sensitive items (CLAWHUB_API_TOKEN, agent keypair for signing, agent tokens) and external tooling (Nervix CLI, Node.js/pnpm) but the registry metadata lists no required environment variables or binaries. The mismatch means the skill may prompt for or expect secrets at runtime that were not declared up-front; users should confirm exactly which credentials are needed and ensure they are appropriately scoped before use.
Persistence & Privilege
The skill recommends persisting agentId/access/refresh tokens and running a heartbeat. That is normal for onboarding. The skill is not set to always:true and does not request system-wide privilege. Still, because it stores and uses long-lived tokens, confirm secure storage and token scoping prior to running enrollment steps.
What to consider before installing
This skill generally does what it says (onboarding and publishing), but the SKILL.md expects tools and secrets that the registry metadata does not declare. Before installing or running: 1) Verify the skill's origin or vendor (who maintains nervix CLI and the nervix.ai endpoints). 2) Expect to need Node.js 22+, corepack/pnpm, the Nervix CLI, and a CLAWHUB_API_TOKEN — confirm what exact env vars and CLI binaries will be used. 3) Review any local repository files referenced (server/clawhub-publisher.ts, client pages) before running enrollment/publish steps. 4) Limit the scope of any tokens you supply (use least privilege and short-lived tokens if possible) and store them securely. 5) If you need higher assurance, ask the publisher to update the skill metadata to declare required binaries and env variables (and to supply a trusted install path for the Nervix CLI). If the publisher cannot clarify, treat the skill as untrusted and perform onboarding manually or in an isolated environment.Like a lobster shell, security has layers — review code before you run it.
agentsvk97fywr0kyjvxacqe4w4gwfykh830612federationvk97fywr0kyjvxacqe4w4gwfykh830612latestvk97fywr0kyjvxacqe4w4gwfykh830612nervixvk97fywr0kyjvxacqe4w4gwfykh830612onboardingvk97fywr0kyjvxacqe4w4gwfykh830612
License
MIT-0
Free to use, modify, and redistribute. No attribution required.