Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OADP Beacon
v1.0.0Make your agent discoverable across the internet. Auto-configures OADP signals in your workspace files, emits presence pings to open hubs, and propagates dis...
⭐ 0· 332·0 current·0 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose—making the agent discoverable—matches what the script does (add markers, ping hubs, suggest registration). However the SKILL.md claims it will "ensure every session starts with your agent visible," but the script does not configure autostart or agents' session hooks; it only appends markers and example checks. Also the package declares no required binaries or env vars even though the script requires curl, jq, grep, and optionally OPENCLAW_WORKSPACE. These omissions are incoherent with the actual capability.
Instruction Scope
Runtime instructions and the included script modify workspace files (AGENTS.md, HEARTBEAT.md), perform outbound HTTP POST/GET requests to an external domain (onlyflies.buzz), and read a local credentials file ($HOME/.config/clawswarm/credentials.json). The instructions also include a manual echo that would append a marker containing hub/registration/ping URLs. The script sends the local hostname to the hub. These are within the stated discoverability goal but are broader than the metadata declares (no env or config paths listed) and involve network interactions with an unknown third party.
Install Mechanism
There is no install spec (instruction-only), which minimizes supply-chain risk. However the skill ships a shell script that will be executed locally and performs network calls and file writes. The script does not download or execute remote code, but running it carries side effects on local files and sends outbound traffic.
Credentials
The skill declares no required environment variables or config paths, yet the script uses OPENCLAW_WORKSPACE (if present), $HOME, and checks $HOME/.config/clawswarm/credentials.json. It also relies on curl/jq being available. Requesting no credentials is appropriate, but silently reading a credentials file and sending identifying info (hostname) to an external hub is a privacy/credential-proportionality concern that should have been explicit.
Persistence & Privilege
always:false (not force-included) and the skill does not modify agent startup or system services. However it writes persistent markers to workspace files and inserts commands into HEARTBEAT.md (a file users might run), which can create ongoing discoverability if users follow or schedule those commands. The claimed permanence is overstated by the implementation.
What to consider before installing
This skill will append discovery markers to your workspace files and make outbound requests (including a POST that sends your hostname) to the external domain onlyflies.buzz. The registry metadata does not declare required binaries (curl, jq) or environment/config paths the script uses. Before running: (1) review the script line-by-line and confirm you trust onlyflies.buzz; (2) back up AGENTS.md and HEARTBEAT.md; (3) run the script in a sandboxed environment or network-restricted container if you want to test; (4) if you do not want your agent to be publicly discoverable or to share host identifiers, do not install; (5) ask the publisher for a canonical homepage, security/privacy policy, and rationale for reading the credentials path and sending hostname information. If you decide to proceed, ensure your environment has curl/jq installed and consider network egress rules to restrict communications to approved hosts.Like a lobster shell, security has layers — review code before you run it.
latestvk972508ecyymsmehjv73cwdf4x823z8g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.