ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Federation Ethical Hand

v1.0.0

Federation Ethical Hand — enforces non-interference, equity, plurality, and cultural sensitivity via a 5-phase pattern. Activate on ethically complex requests.

0· 48·0 current·0 all-time
byKenneth Terry@dmater01
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the runtime instructions: a 5-phase ethics review, multi-perspective output, and logging. Nothing in the declared metadata (no env vars, no binaries) is out of line with an ethics-moderation skill. However, the SKILL.md explicitly references several key files under ~/.openclaw/hands/federation_ethic_hand/ (system_prompt.txt, cultural_context.json, metrics.json) even though the skill's registry metadata lists no required config paths — this is an inconsistency (the skill expects local files to exist or be written).
!
Instruction Scope
Instructions are open-ended about web searches/fetches ('apply cultural sensitivity level to all web searches and fetches') and about persistence ('Write artefacts; log ethics metrics'). They do not specify what is fetched, what external endpoints are used, nor what exact artefacts or user data are written to disk. The SKILL.md also indicates saving a full system prompt to disk, which could leak internal prompt content or context if not handled carefully.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only, which minimizes install-time risk. Nothing is downloaded or executed as part of an installer.
!
Credentials
The skill declares no environment variables or credentials, which is appropriate, but the SKILL.md refers to specific config files in the user's home directory while the registry metadata lists no required config paths. The absence of declared config-path requirements combined with explicit file paths in the instructions is a proportionality inconsistency that should be resolved (are those files optional, created at runtime, or required?).
!
Persistence & Privilege
The skill asks the agent to 'Write artefacts' and persist metrics to metrics.json and to store a full system_prompt.txt under ~/.openclaw/hands/.... That implies persistent disk writes in user home and storage of potentially sensitive agent prompts or context. Although 'always' is false and autonomous invocation is allowed (default), the combination of autonomous invocation potential and undocumented persistent writes increases the blast radius if misused.
What to consider before installing
This skill appears to do what it says (an ethics-review pattern) but has two things to clarify before installing: (1) it references and will persist files under ~/.openclaw/hands/federation_ethic_hand/ (including a full system prompt and metrics) yet the registry metadata doesn't declare required config paths — ask the author whether those files will be created, what they contain, and whether any sensitive data (prompt context, user inputs, or fetched web content) will be stored there; (2) the SKILL.md's web-search/fetch guidance is vague — verify what external endpoints the agent will contact and whether any user content is transmitted. Recommend requiring explicit user consent for persistent writes, a configurable storage path, and a sample of the files the skill writes (or a mode that runs without persisting) before enabling the skill for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97caq4t94rdt1hhzkn7xjnetd84ax6d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⚖️ Clawdis

Comments