Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Workspace Indexer
v1.0.0自动扫描和更新 workspace 目录索引,记录目录用途、运行状态、相关记忆及搜索关键词,不深入分析项目文件。
⭐ 0· 331·0 current·0 all-time
byLeo_yang@harukaon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (maintain a workspace directory index) matches the declared runtime behavior and required tools. Requiring exec, read, write, and memory_search is coherent for scanning directories, reading READMEs/memory files, and writing WORKSPACE_INDEX.md.
Instruction Scope
SKILL.md explicitly instructs the agent to use memory_search and exec to scan the workspace, check READMEs, and detect running services/containers. That is within the stated purpose, but the use of exec and checks for running services can surface system-level information and container IDs beyond simple file metadata. Also the skill expects access to memory files (conversation logs), which may contain sensitive content.
Install Mechanism
Instruction-only skill with no install spec or external downloads; nothing is written to disk by an installer. Low install risk.
Credentials
No environment variables or external credentials are requested, which is appropriate. However, memory_search implies access to stored memory files (MEMORY.md, memory/*.md) and exec allows arbitrary shell commands—both can expose sensitive data even without credentials. This access is proportionate to the task but should be acknowledged by the user.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The skill writes a single WORKSPACE_INDEX.md in the workspace root per its purpose; it does not request installation-time persistence or modifications to other skills.
Assessment
This skill appears to do what it says—index workspace directories using memory lookups and shell commands. Before enabling automatic runs, consider: (1) review what your memory_search stores (conversation logs, sensitive notes) since the index will reference them; (2) restrict or audit the exec capability (run the skill manually first to see the exact commands it issues); (3) back up your workspace or run in a sandbox if you’re worried about accidental writes; (4) if you enable the suggested daily automation, add explicit checks to HEARTBEAT.md and confirm the agent’s permissions. If you need higher assurance, ask the author for an explicit list of the exact exec commands the skill will run when scanning and how it determines "running services/containers."Like a lobster shell, security has layers — review code before you run it.
indexervk976n2p98t33xskr1t99vbm88d81ycmmlatestvk976n2p98t33xskr1t99vbm88d81ycmmmemoryvk976n2p98t33xskr1t99vbm88d81ycmmorganizationvk976n2p98t33xskr1t99vbm88d81ycmmworkspacevk976n2p98t33xskr1t99vbm88d81ycmm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.