ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fanta Autoresearch

v1.0.0

Autonomous goal-directed iteration for optimization and improvement tasks. Use when you need to systematically improve a metric, optimize a system, or iterat...

0· 50·0 current·0 all-time
by@fantaclaw-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (autonomous iterative optimization) match the provided SKILL.md, reference docs, and the included Python helper. Requested resources (none) are consistent with an instruction-only/tooling skill for running iterations and verification commands.
Instruction Scope
SKILL.md instructs agents to run verification commands, spawn subagents (sessions_spawn), and use exec with background continuation. Those are coherent for long-running optimization loops, but they grant the skill the ability to run arbitrary shell commands and persistent tasks — the instructions also reference modifying files (e.g., ~/.openclaw/workspace/MEMORY.md, openclaw.json) which fits the stated scope but should be explicitly limited by the user when running autonomously.
Install Mechanism
No install spec; skill is instruction + a small Python script. Nothing is downloaded or written by an installer during install, which reduces supply-chain risk.
Credentials
Skill declares no environment variables, no credentials, and no unusual config paths. The files and commands referenced (openclaw cron, local workspace files, common test/build tools) are appropriate for the described purpose.
Persistence & Privilege
always:false and default autonomous invocation are set. The skill does not request permanent inclusion or elevated platform privileges. It can spawn background processes per SKILL.md, which is expected for long-running loops but increases runtime blast radius if misused.
Assessment
This skill appears to do what it says: automate iterative experiments. It does, however, assume it can run arbitrary verification and background commands. Before installing/using it: - Only supply trusted verification commands (the verify argument is executed via the shell). Avoid passing untrusted strings that could execute unintended shell actions. - If you intend to run autonomous subagents or background execs, constrain their scope (limit modified file paths, use a sandbox or ephemeral environment, set resource/time limits). - Review and, if needed, modify scripts to avoid shell=True style execution or to use safer argument lists to reduce injection risk. - Check where logs are written (default: autoresearch-log.tsv) and ensure sensitive data is not captured there. - Don't grant additional credentials or environment variables to this skill unless you understand and approve each use case (the skill itself does not request any). If you want extra assurance, run the Python script in a controlled environment first and/or have a developer replace subprocess.run(..., shell=True) with a safer invocation that passes args without shell expansion.

Like a lobster shell, security has layers — review code before you run it.

automationvk977txatfc302p4g96taae59d583g4mciterationvk977txatfc302p4g96taae59d583g4mclatestvk977txatfc302p4g96taae59d583g4mcloopvk977txatfc302p4g96taae59d583g4mcoptimizationvk977txatfc302p4g96taae59d583g4mc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments