ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

agentcli-go

v1.0.0

agentcli-go framework reference for building Go CLI tools. Use when working on agentcli-go itself, scaffolding new CLI projects, adding commands, integrating...

0· 508·1 current·1 all-time
byxj@gh-xj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name and description match the SKILL.md content: it documents a Go CLI framework, scaffold workflows, API surface, and recommended project layout. Nothing in the file requests unrelated credentials, binaries, or external services.
Instruction Scope
SKILL.md is a documentation/reference artifact describing APIs and example commands (e.g., agentcli new). It does not instruct the agent to read arbitrary host files, send data externally, or access secrets. Note: the documented API surface includes helpers like RunCommand and RunOsascript which imply the library can execute shell/macOS scripts when used in code — this is expected for a CLI framework but worth auditing in any concrete implementation before running generated scaffolding against untrusted input.
Install Mechanism
No install spec is present (instruction-only). Nothing will be written to disk or downloaded by the skill itself.
Credentials
The skill declares no required environment variables or credentials. The doc references patterns for loading environment variables in consumer projects, which is appropriate and proportional.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent/system-wide privileges or modify other skills' configuration.
Assessment
This skill is just a reference document for a Go CLI framework and does not itself install code or request secrets, so the direct risk is low. Before using any generated scaffolding or adding the referenced library to a project: 1) verify the upstream repository (github.com/gh-xj/agentcli-go) and its integrity/license; 2) inspect the actual library code (especially functions like RunCommand/RunOsascript) to ensure they don't execute untrusted input or run networked installs; and 3) when running scaffolding commands, review any generated scripts or Taskfile tasks before executing them on your machine.

Like a lobster shell, security has layers — review code before you run it.

clivk97fhz8ph2tjcfmhb3ztpm5eeh81p11ecobraxvk97fhz8ph2tjcfmhb3ztpm5eeh81p11econfigxvk97fhz8ph2tjcfmhb3ztpm5eeh81p11eframeworkvk97fhz8ph2tjcfmhb3ztpm5eeh81p11egovk97fhz8ph2tjcfmhb3ztpm5eeh81p11elatestvk97fhz8ph2tjcfmhb3ztpm5eeh81p11escaffoldvk97fhz8ph2tjcfmhb3ztpm5eeh81p11e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments