ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Code Remediation with Gomboc.ai Community Edition

v0.2.5

Automatically scans and generates deterministic, merge-ready code fixes for infrastructure, app code, and configs using Gomboc.ai's Open Remediation Language.

0· 50·0 current·0 all-time
byGomboc AI@gomboc-ai·duplicate of @iiamit/gomboc-remediation
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, README, and CLI wrapper consistently describe a remediation tool that calls https://api.app.gomboc.ai/graphql using a GOMBOC_PAT token — this is coherent with the stated purpose. However, the top-level registry metadata in the provided bundle listed 'Required env vars: none' and 'Primary credential: none', while .clawhub.yml and the code require GOMBOC_PAT. That metadata mismatch is unexpected and should be resolved (the runtime clearly needs a token).
Instruction Scope
Runtime instructions and the CLI wrapper focus on scanning, requesting fixes, and (optionally) remediating code via the Gomboc API. The scripts read repository files under the provided path and make HTTPS requests to the documented Gomboc GraphQL endpoint. There are no instructions to read unrelated system files or to exfiltrate arbitrary data beyond what the Gomboc API calls would transmit (account and scan/fix info).
Install Mechanism
This is an instruction-only skill (no install spec). It includes code files and a docker-compose that references the Docker image gombocai/mcp:latest. There is no automatic installer, but running the docker-compose will pull a container image from a public registry — validate that image and its provenance before running. No other unusual download URLs or obfuscated installers were found.
!
Credentials
The actual runtime requires a single sensitive env var (GOMBOC_PAT) used for Bearer authentication to the remote API — appropriate and proportionate for this service. However, the provided registry metadata incorrectly indicates no required env vars; this inconsistency could mislead users and policy engines. Ensure you only provide a dedicated, least-privilege token and do not reuse broader credentials.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills or global agent config. It can be invoked by agents (normal default). The code does not contain autonomous installation or privilege-escalation behavior.
What to consider before installing
This skill appears to be a legitimate wrapper around the Gomboc.ai remediation API and requires a personal access token (GOMBOC_PAT). Before installing: (1) verify the skill's origin/repository and that the package you received actually comes from the official Gomboc project; (2) confirm the .clawhub.yml requirement for GOMBOC_PAT (the registry metadata in the bundle is inconsistent); (3) only provide a dedicated, least-privilege token (do not reuse org-wide or cloud credentials) and store it in your CI secrets manager; (4) inspect and vet the Docker image gombocai/mcp:latest before running docker-compose; (5) run the CLI and any setup scripts in a sandbox or isolated test repo first to confirm behavior; (6) require human review of auto-generated fixes / PRs before merging or enabling auto-commit/push in CI. These checks will reduce risk from misconfiguration or a malicious/compromised upstream image.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760mcw6etm6gbn50bv6pmtpd83me8m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments