ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Batch Executor

v1.0.0

Full batch processor for corpus-scale task execution. Handles Google Drive dumps, ChatGPT exports, Apple Notes, or any large collection of mixed content (ide...

0· 46·0 current·0 all-time
byKairoKid@dodge1218
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes a corpus-scale executor and the steps it will take (ingest, classify, triage, spawn sub-agents, checkpoint, report). That high-level purpose aligns with the instructions. However the instructions reference external tools and operations (e.g., a `pdf` tool, parsing Google Drive exports, committing to git, and writing into systems/batch-cognition/value-stack.md) that are not declared in the registry metadata (no required binaries, env vars, or config paths). The absence of declared requirements is a mismatch but could be explained by assuming a pre-provisioned agent environment.
!
Instruction Scope
The instructions direct the agent to save ALL raw input to disk under systems/batch-executor, parse many file types, spawn sub-agents and pass them corpus content and related context, checkpoint progress and commit to git every N items, and append results to a shared file used by another skill (systems/batch-cognition/value-stack.md). Writing raw inputs to disk and sharing item content across spawned sub-agents is expected for batch processing, but: (1) committing progress to git could leak data if Git remotes are configured; (2) appending to a path owned by another skill is cross-skill modification and could overwrite or leak aggregated data; (3) the instructions reference a `pdf` tool and killing/stopping sub-agents without declaring what runtime has permissions to do those operations. The instruction 'If user is idle (no response in 30s), continue' grants the skill substantial autonomy to proceed without explicit human confirmation.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk because nothing is downloaded or written by an installer. The runtime risks come from the actions the instructions direct the agent to perform, not from an installer.
!
Credentials
The skill declares no required environment variables or credentials, yet it expects to process Google Drive dumps and potentially interact with git. To legitimately handle Google Drive programmatically you'd normally expect Google API credentials; for git commits/pushes you'd expect git config/credentials. The skill's silence on credentials is a proportionality concern: either it requires the agent runtime to already provide these capabilities (not explicit), or it will prompt for them at runtime (also not described). Additionally, the practice of giving sub-agents full item content and 'relevant context from other items' can cause broad exposure of sensitive data across tasks.
Persistence & Privilege
The skill is not force-enabled (always: false) and allows autonomous invocation by default (platform normal). The concerning element is file and cross-skill persistence: it writes raw inputs and reports to systems/batch-executor paths and explicitly appends to systems/batch-cognition/value-stack.md (a file outside its own namespace). That level of write access to shared skill files increases blast radius and could lead to data being mixed with other skill state.
What to consider before installing
This skill appears to do what it says (bulk corpus processing), but review these issues before installing or running it: 1) It will write raw inputs to disk (systems/batch-executor/...) and commit progress to git — if your agent has a configured git remote this could leak data. Run it in an isolated workspace or ensure no remote git pushes are possible. 2) The SKILL.md references external tools (a `pdf` extractor) and expects to parse Drive/ChatGPT exports but declares no credentials — confirm where Google/Drive/ChatGPT access will come from and never supply credentials unless you trust the runtime. 3) It appends to systems/batch-cognition/value-stack.md (another skill's file) — if you use batch-cognition, expect side-effects; consider sandboxing or editing that line. 4) The skill spawns sub-agents and will pass full item content and related context to them — ensure sub-agents are allowed to see that data. 5) If you want safer use: run on a copy of your corpus in an isolated container, disable autonomous invocation or lower concurrency, verify available binaries (pdf, git) and their behavior, and confirm no external remotes or credentials are accessible. If anything is unclear, ask the skill author for explicit declarations of required tools, expected file paths, and credential handling before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bw1rrbaw7vtmwnsk8yrrkts83yp7w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments