ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OrgX Power

v1.0.0

Power-user OrgX skill for OpenClaw. Use when you explicitly need the full mutation surface for entity CRUD, run control, checkpoints, stream reassignment, or...

0· 74·0 current·0 all-time
byHope Atina@hopeatina
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md documents an elevated 'power' set of OrgX mutation calls. Nothing requested (no env vars, no binaries) is out of scope for a purely-instruction skill that calls existing runtime plugin methods.
Instruction Scope
The instructions focus on calling elevated OrgX tools (create/update entities, run control, checkpoint restore). They do not ask the agent to read local files or unrelated env vars. However the doc explicitly references working against an 'unscoped /orgx/mcp endpoint' (i.e., bypassing domain-scoped safe surfaces), which is a potential scope escalation and should only be used where runtime authorization/audit controls are known.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is downloaded or written to disk by the skill itself.
Credentials
The skill declares no environment variables, credentials, or config paths. That is proportionate to an instruction-only skill that expects pre-existing runtime plugin capabilities.
!
Persistence & Privilege
The skill is user-invocable and allowed to be invoked autonomously by the agent (platform default). Because it exposes an elevated mutation surface, autonomous invocation increases blast radius if the runtime grants these operations without additional auth, human approval, or auditing.
What to consider before installing
This skill intentionally exposes the platform's full admin/mutation surface. Only install/use it if you trust the runtime and need these privileged operations. Before enabling: (1) confirm the runtime enforces authorization and audit logging for the listed orgx_* methods, (2) restrict use to trusted agents/operators and require human approval for high-risk actions, (3) avoid granting the skill to agents that can act autonomously unless you have additional safeguards (manual approval/workflow gates, rate limits, or scoping), and (4) prefer the safer domain-scoped 'orgx' skill unless an operation truly requires the unscoped endpoint. If you cannot verify those controls, do not install or disable autonomous invocation for this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977a1t384zr66gzrx62hv1rzx83skfk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments