ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Forever Healthy AI4L - AI for Practical Longevity

v0.1.0

AI4L - Enabling everyone to use AI to generate high-quality, evidence-based reviews of interventions aimed at optimizing health and longevity.

0· 89·0 current·0 all-time
byMichael Greve@epicoun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description (AI4L Evidence Review Toolkit) align with the instructions to create/audit evidence reviews and QA checklists. The skill requests no credentials or installs, which is proportionate. However, the hard-coded default topic ('Using Telmisartan to Improve Health and Longevity') is narrowly prescriptive for a general toolkit and may be unexpected. VERIFY's requirement to check and "fix" repository files (SKILL.md, README.md, etc.) suggests write access to project files — plausible for a toolkit but should be explicit and user-approved.
!
Instruction Scope
SKILL.md contains contradictory and vague directives: AI4L.md says 'No Sub-agents' for auditors while SUBAUDIT/FULL/ITERATE explicitly instruct launching sub-agents (Opus). VERIFY directs fixing target files but the header rule says 'Do not edit files outside ./results/ unless explicitly granted permission' — VERIFY's 'fix them' step would modify files outside ./results/ without obtaining that explicit permission. The audit process also repeatedly instructs 'write and run a script' to parse results, but no script is provided; that implies the agent may run arbitrary scripts in the environment. These inconsistencies create unclear authority and potential for unexpected file edits or command execution.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or written by an installer step.
Credentials
The skill declares no required environment variables, credentials, or config paths. There are no apparent requests for secrets or external service keys in the instructions.
Persistence & Privilege
always is false and the skill does not request system-wide config or persistent presence. However, it instructs autonomous actions (launching sub-agents, running scripts) which is platform-default behavior; combined with the instruction ambiguities above, this could increase risk if the agent is allowed to run commands or modify repository files without explicit user confirmation.
What to consider before installing
This skill is broadly coherent with an evidence-review toolkit but contains conflicting and vague runtime rules that could cause it to modify files or run scripts without explicit, clear consent. Before installing: (1) Confirm whether you want the skill to be allowed to edit repository files outside ./results/ — VERIFY explicitly says to "fix" files but also says not to edit files outside ./results/ unless the user grants permission. (2) Decide whether you allow the agent to launch sub-agents (the skill requests Opus) and to run parsing scripts — if not, deny those capabilities or sandbox the skill. (3) Note the default topic is a prescription drug (telmisartan); if you don't want medical/drug-specific defaults, request the author change it. (4) Ask the skill author to resolve contradictions (no-sub-agent vs. SUBAUDIT) and to supply or describe any scripts the skill expects to run. If you proceed, run the skill in a restricted/sandboxed environment and require explicit confirmation before any edits outside ./results/ or before executing any code.

Like a lobster shell, security has layers — review code before you run it.

developmentvk970pg7mbh6wbbarcmxcktrhah837nc1latestvk970pg7mbh6wbbarcmxcktrhah837nc1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments