ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Erp Integration Analysis

v2.1.0

Analyze ERP system integration for construction data flows. Map and optimize data flows between ERP modules

2· 1.1k·0 current·0 all-time
by@datadrivenconstruction
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md contains detailed Python data models and analysis routines that align with the stated goal of mapping and optimizing ERP data flows for construction. However, the claw.json manifest requests filesystem and network permissions even though the skill declares no required credentials or external endpoints; that permission request is not clearly justified by the instructions.
Instruction Scope
Instructions and instructions.md constrain the agent to use only user-provided data, file paths, or direct input and to validate inputs; the included Python code operates on supplied ERPs, integration points, and transaction logs. There are no explicit instructions to read unrelated system files or to transmit data externally in the visible SKILL.md content.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute outside the agent. That minimizes install-time risk.
!
Credentials
The skill declares no required environment variables or credentials, yet the manifest grants network permission. If the skill were to call external ERP APIs or vendor endpoints it would typically need credentials; those are not declared. This mismatch (network access without declared credentials or endpoints) is disproportionate and should be explained by the publisher.
Persistence & Privilege
always is false and the skill is user-invocable only; it does not request persistent or platform-global privileges. However, the manifest's filesystem and network permissions increase potential blast radius even though the skill does not request persistent presence.
What to consider before installing
This skill appears to implement ERP integration analysis logic and expects user-provided files or data. Before installing: (1) ask the publisher why claw.json declares network and filesystem permissions — does the skill call external ERP APIs or fetch vendor data? (2) Confirm whether it will request or store any ERP credentials; none are declared. (3) Check the Win32-only restriction and the python3 requirement match your environment (on Windows the binary name may differ). (4) If you don't want any external network access, run it in a sandbox or deny network permission until the author clarifies the need. (5) Verify the publisher/homepage and the version mismatch between claw.json (2.0.0) and registry metadata (2.1.0). If you need higher assurance, request the full SKILL.md content from the author showing any network endpoints and credential use before enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk978dgbk64w3k4rn6c5ty7q61d816jr7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔗 Clawdis
OSWindows
Binspython3

Comments