ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GSD Headless (→ gsd-orchestrator)

v1.0.0

Redirect — install `gsd-orchestrator` instead. This skill exists to reserve the name. The full orchestration skill with subprocess patterns, exit code handli...

0· 70·0 current·0 all-time
by@glittercowboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's stated purpose is only to reserve the name and redirect to `gsd-orchestrator`. However, the SKILL.md metadata declares a required binary `gsd` and an install block (node package `gsd-pi` providing `gsd`). For a redirect-only placeholder, declaring a runtime binary requirement and an install package is unexpected but not necessarily malicious.
Instruction Scope
The instructions are limited to explaining the redirect and pointing users to install `gsd-orchestrator`. There are no commands, file reads, or network endpoints in the instructions that would broaden scope.
!
Install Mechanism
Registry metadata indicates no install spec, but SKILL.md contains an `install` metadata block (node package `gsd-pi`). This mismatch is incoherent. If followed, installing an npm package (`gsd-pi`) is a moderate-risk operation — verify the package source (npm, GitHub repo, publisher) before installing.
Credentials
The skill declares no required environment variables, credentials, or config paths. There is no evidence it requests excessive secrets.
Persistence & Privilege
The skill is not always-enabled and uses normal model invocation. It does not request persistent presence or modify other skills' settings.
What to consider before installing
This skill appears to be a placeholder that redirects users to `gsd-orchestrator`. It has no code files and the runtime instructions are harmless, but the SKILL.md metadata advertising a node package (`gsd-pi`) and a required `gsd` binary is inconsistent with a pure redirect. Before proceeding: (1) install the real `gsd-orchestrator` skill instead of this one; (2) if you plan to install the `gsd` binary or `gsd-pi` npm package, check the package publisher, README, and repository on npm/GitHub and scan the package for unexpected postinstall scripts or network calls; (3) do not provide credentials to this skill — it does not request any, and none are needed for the stated redirect purpose. If you want a definitive clean bill, inspect the actual `gsd-orchestrator` skill’s SKILL.md and install spec (source repository) before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736ajx4a9906e2nybyz7scnh83nxs8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgsd

Comments