Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MiroFish Predict
v1.0.1MiroFish 群體智能推演引擎。當用戶要求「推演」「預測」「模擬」「如果…會怎樣」時使用。透過 55 個 AI Agent 在模擬社交平台上互動推演未來趨勢。
⭐ 1· 329·3 current·3 all-time
by@iml1s
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (55-agent simulation) aligns with required binaries (mirofish CLI and docker) and the single declared secret (LLM_API_KEY). Installing an npm CLI to provide the 'mirofish' binary is a coherent way to implement this functionality.
Instruction Scope
SKILL.md instructs only to run mirofish CLI commands, start/stop Docker backend, and set an LLM API key (via env, OpenClaw config, or ~/.mirofish/.env). It does not instruct reading unrelated system files or requesting unrelated credentials.
Install Mechanism
Install is an npm package (mirofish-cli) which is a typical, traceable mechanism. However the runtime includes pulling and running a Docker backend image (SKILL.md indicates images are pulled on first start) — pulling/running unknown container images increases risk and should be reviewed (image origin not specified in SKILL.md).
Credentials
Only one environment variable (LLM_API_KEY) is required and is appropriate for a tool that drives many LLM calls. No unrelated secrets or config paths are requested. Note: the skill will send user prompts and generated context to the LLM provider associated with that key, so the key should be scoped/trusted.
Persistence & Privilege
Skill is not always-enabled and does not request special platform privileges. It writes/reads its own config (~/.mirofish/.env) per instructions which is normal for a CLI tool; it does not request modifying other skills or system-wide agent settings.
Assessment
This skill appears to be what it claims: a multi-agent simulation that needs Docker and an LLM API key. Before installing: 1) Verify the mirofish-cli npm package and its maintainer (inspect the GitHub repo and package contents). 2) Confirm which Docker image(s) the CLI will pull and inspect them (unknown images can run arbitrary code on your machine). 3) Use a scoped or low-privilege LLM API key or local model if possible, and set file permissions on ~/.mirofish/.env. 4) Consider limiting billing/quota on the API key (simulations are token-heavy). If you cannot verify the package or images, treat the runtime as higher risk and avoid supplying high-privilege credentials.Like a lobster shell, security has layers — review code before you run it.
ai-agentsvk9757efad8sjgr2q9tbwe8qkg582r612latestvk9757efad8sjgr2q9tbwe8qkg582r612predictionvk9757efad8sjgr2q9tbwe8qkg582r612swarm-intelligencevk9757efad8sjgr2q9tbwe8qkg582r612
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐟 Clawdis
Binsmirofish, docker
EnvLLM_API_KEY
Primary envLLM_API_KEY
Install
Install MiroFish CLI (npm)
Bins: mirofish
npm i -g mirofish-cli