ClawHub

MiroFish Predict

Security checks across static analysis, malware telemetry, and agentic risk

Overview

The skill is coherent and purpose-aligned, but users should notice that it installs/runs external CLI and Docker components, uses an LLM API key, and may keep a local backend running.

This appears safe to use if you trust the MiroFish CLI and Docker image. Before installing, check the project/package source, use a limited LLM API key if possible, start with low simulation rounds to control cost, and stop the Docker backend when finished.

Static analysis

No static analysis findings were reported for this release.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Installing or running the skill means trusting the MiroFish CLI package and its Docker image.

Why it was flagged

The skill relies on an external npm package and a Docker image pulled during first setup; these components are central to the stated purpose but are not included in the artifact contents.

Skill content
"package": "mirofish-cli" ... "首次會自動拉 Docker image"
Recommendation

Install only if you trust the package/source, and consider reviewing the linked project and package provenance before use.

#ASI03: Identity and Privilege Abuse
Low
What this means

Simulations may use your LLM provider account and incur token costs.

Why it was flagged

The skill requires an LLM API key to run simulations, which is expected for its function but gives the CLI access to a billable credential.

Skill content
需要 Docker Desktop 和 LLM API key ... `export LLM_API_KEY=xxx`
Recommendation

Use a scoped or low-limit API key where possible, monitor usage, and avoid sharing keys in prompts or reports.

#ASI10: Rogue Agents
Low
What this means

A local backend may continue running until stopped, consuming local resources.

Why it was flagged

The skill documents a Docker backend that can be started and stopped; this is disclosed background behavior rather than hidden persistence.

Skill content
`mirofish serve start` | 啟動 Docker 後端 ... `mirofish serve stop` | 停止後端
Recommendation

Use `mirofish serve status` and `mirofish serve stop` when finished.