Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ORBIT Platform
v1.0.0Arquiteto principal, engenheiro sênior e operador do ORBIT — plataforma de inteligência aplicada agentiva. Use quando: (1) construindo ou expandindo o aplica...
⭐ 0· 80·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill purports to be an operational guide for the ORBIT platform and includes code snippets and explicit references to a Supabase project and the Supabase service_role key. However, the registry metadata declares no required environment variables or credentials. Requesting a service_role key and pointing to specific workspace credential files is disproportionate to an instruction-only skill unless the author explicitly requests and documents those secrets.
Instruction Scope
SKILL.md explicitly tells the operator/agent to read /workspace/projeto/backend/.env and /workspace/projeto/decisoes/2026-03-24-credenciais-finais.md and to 'use always the service_role key'. That directs the agent to access local secret-bearing files and to use a high-privilege DB key — behavior beyond a passive documentation skill and not declared in the skill manifest.
Install Mechanism
No install spec or code files that would be downloaded/executed are present; the skill is instruction-only, which reduces install-time risk. There is no third-party download or package installation described.
Credentials
Although the metadata lists no required env vars, the code examples and rules explicitly rely on SUPABASE_URL and SUPABASE_SERVICE_KEY (service_role). The skill also implicitly requires OpenAI credentials and Telegram webhook configuration. Asking for use of a service_role key (broad database privileges) without declaring it is disproportionate and risky.
Persistence & Privilege
The skill does not request permanent 'always' inclusion or modify other skills. However, because the instructions encourage using a high-privilege service_role key and reading local credential files, allowing autonomous invocation could increase blast radius. This combination amplifies risk even though 'always' is false.
What to consider before installing
This skill contains detailed operational instructions that require sensitive credentials (Supabase service_role key) and tells the agent to read local credential files, but the skill metadata doesn't declare these requirements. Before installing or using it: (1) ask the author/source to explain/declare exactly which environment variables and files are needed and why; (2) never supply a Supabase service_role key to a third-party skill — prefer a least-privileged service account or restricted RLS key; (3) avoid giving the agent access to /workspace paths that contain .env or credentials unless you trust the skill source and have audited the content; (4) run any code in a safe, isolated environment and verify the Supabase project id belongs to you or your organization; (5) if you must use the skill, rotate credentials afterward and monitor DB activity for unexpected operations. If the author can't justify the privileged access or update the manifest to declare required env vars, treat the skill as unsafe to grant secrets to.Like a lobster shell, security has layers — review code before you run it.
agentesvk973srt4qyp8qwwevqpexgnxwx83gsstdossievk973srt4qyp8qwwevqpexgnxwx83gsstinteligencia-aplicadavk973srt4qyp8qwwevqpexgnxwx83gsstlatestvk973srt4qyp8qwwevqpexgnxwx83gsstopenaivk973srt4qyp8qwwevqpexgnxwx83gsstorbitvk973srt4qyp8qwwevqpexgnxwx83gsstpesquisavk973srt4qyp8qwwevqpexgnxwx83gsstpt-BRvk973srt4qyp8qwwevqpexgnxwx83gsstsupabasevk973srt4qyp8qwwevqpexgnxwx83gssttelegramvk973srt4qyp8qwwevqpexgnxwx83gsst
License
MIT-0
Free to use, modify, and redistribute. No attribution required.