ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Autonomous Skill

v0.1.0

Use when user wants to execute long-running tasks that require multiple sessions to complete. This skill manages task decomposition, progress tracking, and a...

1· 385·1 current·1 all-time
byPengfei Ni@feiskyer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's files and runtime instructions (creating .autonomous/<task>/, generating task_list.md/progress.md, running Initializer/Executor sessions, and updating project files) are consistent with a long-running autonomous task executor. It expects the 'claude' CLI to be available (used to drive the agent). Nothing else (env vars, unrelated binaries) is requested. Note: relying on the local 'claude' CLI means it will implicitly use whatever credentials/config the user has for that tool, which is not declared but is expected for this purpose.
!
Instruction Scope
The SKILL.md and templates instruct the agent to read repository state (ls, cat, git log), run builds/tests, commit changes, and modify project files beyond the .autonomous task-tracking folder. Critically, the run scripts call claude with '--permission-mode bypassPermissions' (and the SKILL.md describes 'auto-continuation' for unlimited sessions). Instructing the model to run with a permissions bypass and to autonomously continue sessions broadens what the skill can do well beyond simple task-tracking and could enable sustained modification of the user's workspace without additional explicit consent.
Install Mechanism
No install spec; only an included shell script and templates. No remote downloads or package installs are specified. This is low install risk.
Credentials
The manifest declares no required environment variables or credentials, which aligns with the files. However, the runtime requires a 'claude' CLI binary (checked at runtime) that will use the user's existing Claude credentials/config. That implicit dependency on the user's LLM credentials is proportional to the feature but should be noted: the skill will act using those creds via the local CLI, and the script requests a bypass of permission controls when invoking it.
!
Persistence & Privilege
The skill is not marked 'always:true', and model invocation is allowed (default). However, the combination of (a) autonomous auto-continuation loops, (b) repeated headless invocations, and (c) explicit use of '--permission-mode bypassPermissions' increases the blast radius: an autonomous agent could repeatedly modify project files, run builds/tests, and commit changes without further user prompts. This elevated runtime privilege is the primary concern.
What to consider before installing
What to consider before installing or running this skill: - The skill will create a .autonomous/<task>/ directory and will read and modify both those tracking files and your project files (it explicitly recommends running builds, tests, and git commits). If you run it in a real project, expect it to change source files and commit them. - The run script invokes the 'claude' CLI with a permission-bypass flag (--permission-mode bypassPermissions). That bypass is the key risk: it asks the local Claude client to ignore normal permission controls so the agent can act autonomously. Ask yourself whether you trust any skill to operate without additional prompts. - Because the skill uses your local 'claude' CLI, it will act with whatever credentials/config the CLI is already using. There are no declared env vars, but credentials are implicitly used — consider running this only in a disposable environment or a non-production repository. - Recommendations before use: - Inspect and, if needed, remove or modify the '--permission-mode bypassPermissions' invocation so actions require explicit confirmation. - Run the script first in an isolated test repo (or a throwaway container) to observe behavior and ensure it doesn't touch anything sensitive. - Review and restrict filesystem location where the skill runs (avoid running at system root). The script validates task names to avoid path traversal, but you should still run in a controlled workspace. - Consider requiring manual confirmation before commits or disabling auto-continue (the script has flags for no-auto-continue / max-sessions; use them). - If you need higher assurance, request from the skill author an explanation why permission bypass is required and a version that operates without bypass or with an explicit confirmation step for file modifications. Confidence note: medium — the skill's files and instructions are coherent with an autonomous task-runner, but the explicit permission-bypass flag and autonomous continuation materially increase risk. Additional information (author rationale for bypassPermissions, details on how the platform enforces 'permission-mode', or a version of the skill without bypass) would raise or lower confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e4jshw6q6n0hrzj2sjr09ws821mqk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments