ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OGP Project

v0.3.0

Tool-agnostic project collaboration for AI assistants. Users keep their own tools (Linear, Jira, Obsidian, GitHub, iCloud, local files — anything). This skil...

0· 96·0 current·0 all-time
bylatentgenius@dp-pcs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description describe tool-agnostic project collaboration and the skill explicitly requires the 'ogp' binary and OGP state files (~/.ogp/config.json, projects.json, peers.json). These requirements are consistent with a skill that queries local project state and contacts peer agents.
Instruction Scope
SKILL.md instructs the agent to run 'ogp' CLI commands to query local project history and to send queries to peer agents (ogp federation agent ...). This matches the stated behavior, but the skill's 'MANDATORY' Proactive Pre-Task Check means it will proactively read local state and send the user's intent to remote peer agents before starting project work — a privacy and network-communication consideration users should be aware of.
Install Mechanism
There is no registry install spec, but SKILL.md recommends 'npm install -g @dp-pcs/ogp' and links a GitHub repo. Installing an npm package globally is a common mechanism; it's moderate-risk compared with bundled binaries but is proportionate to the need for an 'ogp' CLI. Users should verify the package and repo before installing.
Credentials
The skill declares the exact state paths it needs (~/.ogp/*.json) and requires the 'ogp' binary; it does not ask for unrelated env vars or secrets. However, those config files may contain gateway URLs, routing or auth details used to contact peers. Access to those files is necessary for the skill's function but also enables transmitting project context and user intent to external peer agents — a sensitive capability that is proportionate to the stated purpose but worth explicit consent and review.
Persistence & Privilege
always is false (no forced permanent presence). The skill can be invoked autonomously (disable-model-invocation is false), which is the platform default. Combined with the skill's mandatory proactive behavior, autonomous invocation increases its practical reach (it will run pre-task checks that contact peers), but there is no evidence it modifies other skills or requests cross-skill credentials.
Assessment
This skill is coherent with its purpose, but it performs proactive operations that can read local OGP state and send your stated intent and project queries to remote peer agents. Before installing: - Verify and review the referenced npm package and GitHub repo (@dp-pcs/ogp) to ensure you trust the publisher. - Inspect ~/.ogp/config.json and peers.json to see what gateway URLs or auth details are present and which peers would be contacted. - Consider whether you want the agent to perform automatic pre-task network queries (you may prefer a confirmation step before contacting peers). - If privacy is a concern, limit the peers listed or adjust peer response policies in OGP so your agent doesn't share sensitive content automatically. - Because the skill suggests installing a global npm package, run that installation yourself (not via the agent) and audit the binary before allowing the skill to invoke it autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769e3tw0wvevxvxahs0g6s6d84axpf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsogp

Comments