ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Maven Smart System Ai (palantir integration)

v1.0.1

Advanced text-based integration suite for Palantir Maven Smart System (MSS). Manages targets, Kanban workflow, CDE risk assessment, SIGINT intelligence fusio...

0· 172·0 current·0 all-time
byAlexey Mametyev@frequensy23-coder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and bundled scripts clearly implement Palantir MSS functionality (target lookup, SIGINT fetch, CDE, assigning strike assets, status changes). That matches the declared purpose. However, the registry metadata at the top of the submission lists 'Required env vars: none' and 'Primary credential: none', while SKILL.md and the code require MSS_API_KEY and MSS_API_ENDPOINT — an important metadata mismatch that could hide required credentials from reviewers.
Instruction Scope
SKILL.md instructs the agent to check for MSS_API_KEY and to call initialize_config to write a .env file if missing; it also requires explicit operator confirmation (per the 'Safety Protocol') before actions that move targets toward engagement. This scope is consistent with the stated purpose. However, confirmation is a procedural requirement in SKILL.md only — it is not enforced by the scripts themselves (the scripts will perform POST/PATCH calls if invoked). The agent runtime must reliably prompt and block potentially harmful actions; otherwise the skill can perform impactful operations.
Install Mechanism
No external install script or remote download is present; the package is instruction+scripts only. requirements.txt lists common Python libs (requests, python-dotenv). No high-risk remote installs or obscure URLs were found.
!
Credentials
SKILL.md and mss_client.py legitimately require MSS_API_KEY and MSS_API_ENDPOINT. But the registry metadata omitted these required env vars — an incoherence. The setup_env.py writes the API key and endpoint into a plaintext .env file at the repository root, which will persist sensitive credentials on disk and may overwrite or alter an existing .env; this persistence is disproportionate unless the operator expects local storage. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request 'always: true' or other elevated platform privileges. It does, however, persistently store the API key and endpoint in a .env file and will make authenticated API calls (GET/POST/PATCH) to the configured endpoint. That persistent storage is normal for a client integration but increases the blast radius if the workspace is shared or backups/uploaded.
What to consider before installing
This package contains real-world targeting functionality and will call your Palantir MSS endpoint using MSS_API_KEY and MSS_API_ENDPOINT. Before installing: 1) Verify the publisher and source — there is no homepage or known owner. 2) Do not provide a high-privilege/production API key for testing; create a least-privilege, audit-enabled test key instead. 3) Inspect the code locally (mss_client.py, setup_env.py, and the POST/PATCH callers) and confirm you trust the endpoint URL; setup_env.py writes credentials in plaintext to a .env at the repo root and can overwrite existing MSS entries. 4) Ensure your agent runtime enforces the SKILL.md safety confirmations (the scripts themselves will execute actions if invoked). 5) If you need stronger assurance, request provenance (signed release, VCS repo, maintainer identity) or run the skill in an isolated environment without network access until validated.

Like a lobster shell, security has layers — review code before you run it.

latestvk970yjbf4vr05b3h5zqjvrqheh82xx57

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments