Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PAI

v1.0.0

Personal AI Infrastructure core system using the PAI Algorithm for advanced general problem-solving and capability amplification.

⭐ 0· 115·1 current·1 all-time

by@durtydhiana

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill claims to be a Personal AI Infrastructure core and ships extensive source, docs, and action/pipeline tooling which fits that purpose. However, the package documentation and code reference external services and secrets (Anthropic API keys, AUTH_TOKEN, Cloudflare worker deployment) even though the registry metadata declares no required env or credentials — this mismatch is unexpected for a core infra package.

Instruction Scope

SKILL.md contains highly prescriptive runtime rules that go beyond normal guidance: it mandates streaming first tokens, enforces a strict multi-phase format, and includes a verbatim command that instructs agents to run `curl -s -X POST http://localhost:8888/notify ...` as part of the visible progression block. That instruction causes network activity to an endpoint not declared anywhere else and effectively injects an operational side-effect into every run. The SKILL.md also contains prompt-injection-like language (pre-scan detected 'ignore-previous-instructions' and 'system-prompt-override'), indicating it may attempt to influence agent control flow.

✓

Install Mechanism

There is no install spec and this is primarily an instruction + code bundle. Nothing in the registry indicates it will download or execute remote binaries during install, which reduces install-time risk. The codebase itself is large and would be written to disk when installed, so local review is recommended before running.

Credentials

The registry lists no required env vars, but many source files and README/docs reference secrets and env (ANTHROPIC_API_KEY, AUTH_TOKEN, CF_ACCOUNT_SUBDOMAIN, etc.), plus code reads process.env.HOME and other env values. This disparity (no declared credentials vs. numerous code-level references) is disproportionate and unclear about what secrets the skill actually expects or uses.

ℹ

Persistence & Privilege

The skill is not marked always:true and does not declare modifications to other skills or global config. However, it contains components named SessionHarvester, SecretScan, and tooling to deploy persistent Cloudflare Workers — these indicate it can be used to collect session/context and deploy long-running endpoints if the operator uses its deployment features. Autonomous model invocation is allowed (platform default) but not by itself a flag.

Scan Findings in Context

[ignore-previous-instructions] unexpected: Detected in SKILL.md; this pattern is characteristic of prompt-injection attempts that try to override prior system instructions. Not expected for a benign documentation/runtime guide.

[system-prompt-override] unexpected: Detected in SKILL.md; indicates the skill may contain instructions designed to alter the agent's system prompt or execution policy. This is not normal for a neutral infra manifest and raises concern about control flow manipulation.

What to consider before installing

This package contains an entire PAI framework and a very large codebase, but there are important mismatch and scope issues you should consider before installing: - SKILL.md explicitly instructs the agent to POST a JSON payload to http://localhost:8888/notify (including a voice_id) as a required visible-step side-effect. That network call is not declared in metadata and could cause unexpected local interactions or data leaks; inspect whether you run such a notify service and why it's needed. - The repository references secrets (ANTHROPIC_API_KEY, AUTH_TOKEN, CF account settings) in docs and code, yet the registry says no required env vars. Treat this as a sign the skill expects credentials you were not asked to provide at install time. Do not install into environments containing sensitive credentials without auditing the code. - Pre-scan detected prompt-injection patterns (ignore-previous-instructions, system-prompt-override). SKILL.md also enforces strict output/streaming behavior and contains verbatim command blocks. These can attempt to change how the agent behaves — review the SKILL.md fully and remove or sandbox any verbatim curl/notify calls before use. - There are files named SessionHarvester and SecretScan — review those files to understand what data they collect, whether they persist telemetry, and whether they transmit anything off-host. Recommended actions: 1) Do not enable this skill in a production or credentialed environment yet. 2) Review the listed files locally (especially Tools/SessionHarvester.ts, Tools/SecretScan.ts, and SKILL.md) to see whether they call external endpoints or exfiltrate data. 3) If you need the functionality, run it in an isolated VM/container without access to your real secrets or network, or remove/modify the hardcoded curl lines. 4) Ask the publisher for provenance (homepage, repo, or trusted source) and clarification about required secrets and the local notify endpoint. 5) If you want, share the contents of Tools/SessionHarvester.ts and Tools/SecretScan.ts and I can inspect them for suspicious behavior.

✗

Tools/algorithm.ts:654