ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OADP Emit

v1.0.0

Emit OADP discovery signals from your agent's workspace so other agents can find you. Adds markers to your files, configures .well-known endpoints, and joins...

0· 325·0 current·0 all-time
byFLY@imaflytok
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (emit discovery signals) aligns with the actions: appending marker comments to markdown, creating .well-known metadata, and POSTing to hub endpoints. No extra binaries or credentials are requested, so the capability request is consistent with its stated purpose.
!
Instruction Scope
SKILL.md instructs the agent (or user) to append lines into ~/.openclaw/workspace/AGENTS.md, create .well-known files and robots.txt entries, and run curl commands that POST data to https://onlyflies.buzz. These actions change files in your workspace and publish identity/metadata externally — beyond passive discovery, they actively broadcast presence. The instructions do not warn about privacy or safety implications and encourage registering identifying info.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. Nothing is written to disk by the skill itself beyond the commands it tells you to run; there is no packaged install risk from untrusted URLs or archives.
Credentials
No environment variables or credentials are requested (proportionate). However, the registration step asks you to POST name/description/capabilities to the external hub — providing identifying or sensitive information here is discretionary and can expose you. The hub domain is unverified in the skill text.
Persistence & Privilege
The skill does not request always:true or system-level privileges. It instructs persistent changes to local files (workspace AGENTS.md, .well-known, robots.txt) which make an agent persistently discoverable — a meaningful privacy/operational change but not a platform privilege escalation.
What to consider before installing
This skill is doing exactly what it says—making your agent discoverable—but that has privacy and safety implications. Before running any of the commands: 1) Verify the hub domain (onlyflies.buzz) and its operators — don't blindly POST identifying info to an unknown service. 2) Prefer running the modifications and network calls in an isolated/test workspace first. 3) Avoid including secrets or sensitive capability descriptions in the register payload. 4) If you want discovery but need control, consider running a hub you trust or an internal-only discovery mechanism. 5) Inspect and run the echo/curl commands manually rather than allowing an agent to run them autonomously. If you can, contact the hub owner or seek documentation proving the hub's legitimacy before publishing your agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f8mz5378tr3zym1yng4vwgn823cdr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments