ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Vibe Coding Cn

v4.1.0

AI 团队协作,自动生成完整项目。5 Agent + SPEC.md + Agent 投票审批 + 需求追溯。必须在 OpenClaw 环境中使用。

0· 33·1 current·1 all-time
by@gotomanutd-dot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (AI team orchestration, SPEC.md, 5 agents, voting, incremental updates) align with the provided code, docs, and required binary (node). Declared capabilities (sessions_spawn, file_read, file_write) match the implementation and examples which use OpenClaw sessions_spawn and write output files. No unrelated credentials or config paths are requested.
!
Instruction Scope
The SKILL.md explicitly instructs the Orchestrator to spawn subagents (sessions_spawn), run multi‑phase workflows, perform quality checks, and save generated files to the workspace. Many examples show automated vote-based decision logic and auto‑proceed semantics ('自动决策,无需用户等待'). While some examples show asking for confirmation, the docs repeatedly state decisions can be automatic — meaning the skill can produce and persist code changes without explicit, enforced user approval. SKILL.md also includes examples that open folders and suggests running an optional WebSocket UI; these actions touch local filesystem and can introduce network exposure if the optional server is run.
Install Mechanism
No external download/install spec is provided (skill is packaged with source files). package.json/DEPENDENCIES.md declare only native Node modules for core functionality and an optional 'ws' for the visual dashboard. There are no remote code downloads or obscure third‑party install URLs in the provided materials. Postinstall behavior is mentioned in docs; verify any postinstall scripts before running.
Credentials
The skill requests only the 'node' binary and no environment variables or external credentials, consistent with its stated design that uses OpenClaw's sessions_spawn or an injected llmCallback (relying on the platform's LLM). There are no declared secrets requested by the skill. The only potential indirect need is access to the OpenClaw session APIs (sessions_spawn), which is appropriate for an OpenClaw-only skill.
!
Persistence & Privilege
always:false (good), but the skill is designed to be invoked by the agent and can autonomously run workflows that write files into the user's workspace and (optionally) start a local UI server. The combination of autonomous invocation (the platform default), file_write capability, and explicit language about '自动决策,无需用户等待' increases risk that changes will be applied without an unambiguous user consent step. Consider treating the skill as high‑impact until you confirm it always asks for explicit confirmation before persisting nontrivial changes.
What to consider before installing
This skill appears to implement the described multi‑agent project generator and mostly asks for proportional capabilities (node, OpenClaw sessions). However, it is designed to make automated decisions and save generated files into your workspace — sometimes explicitly without waiting for user approval. Before installing or enabling it: 1) Review the executor code (executors/vibe-executor-v4.1.js and index.js) to confirm when and how saveFiles()/file writes are triggered. 2) Test the skill in a disposable/sandbox workspace to observe what it writes and whether it asks you to confirm changes. 3) Avoid running optional servers (the 'ws' dashboard) unless you trust the environment and have checked the server code. 4) If you want tighter control, require the skill to run only in a user‑invoked mode or modify it so every save/action requires explicit user confirmation. 5) If you lack time to audit code, treat the skill as potentially able to modify local files and proceed accordingly (backup important workspaces first).
executors/vibe-executor-v4.1.js:389
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973197bzqft3c2s2bxy22ecvn84arhx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎨 Clawdis
OSLinux · macOS · Windows
Binsnode

Comments