Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AgentMesh Governance
v1.0.0AI agent governance, trust scoring, and policy enforcement powered by AgentMesh. Activate when: (1) user wants to enforce token limits, tool restrictions, or...
⭐ 0· 723·4 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and shipped scripts align with governance, trust scoring, identity verification, and audit logging. Requiring python3/pip is reasonable for the provided Python-based scripts. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
Runtime instructions are scoped to running the included scripts and (optionally) a backing 'agentmesh' Python package. However, the scripts embed user-supplied shell variables directly into python -c string literals (e.g., '$ACTION', '$DID', '$MESSAGE'), which can break or allow code injection if arguments contain unescaped quotes or malicious payloads. Also, generate-identity.sh warns to 'Store your private key securely' but the script does not expose or export the private key — this is confusing and could lead users to believe a private key was produced and saved when it was not.
Install Mechanism
No install spec is included (instruction-only), which is low risk. SKILL.md suggests 'pip install agentmesh' or installing from a GitHub repo via pip (git+https://github.com/imran-siddique/agent-mesh.git). Installing an external Python package from PyPI or a git repo will execute third-party code on the host — a normal pattern but a supply-chain risk that users should audit first. The GitHub URL itself is a common host, not an obscure or shortened URL.
Credentials
The skill requests no credentials or special config paths. The operations performed (reading a local policy.yaml, returning JSON results) are proportionate to the governance use-case. There are no hidden environment variable accesses in the scripts.
Persistence & Privilege
The skill does not request permanent/always presence and does not modify other skills or global agent config. It runs as on-demand scripts and optionally delegates to an external Python package for persistent functionality; this is consistent with the described behavior.
What to consider before installing
This skill appears to implement the claimed governance functions and the included scripts match the description. Before installing or running it: (1) review the upstream 'agentmesh' package source if you plan to pip install it — installing packages runs remote code; (2) avoid passing untrusted or unsanitized input to the scripts because they interpolate shell args directly into python -c string literals (quotes or special characters could break the Python code or be exploited); (3) note that generate-identity.sh does not emit or save a private key despite its warning — verify key handling if you need persistent key material; (4) run the scripts in a sandboxed environment or container the first time, and audit the referenced GitHub repo and package code if you intend to rely on persistent trust/identity functionality.Like a lobster shell, security has layers — review code before you run it.
auditvk974be3w8km5m2zrvr13hs7rdn81bc6renterprisevk974be3w8km5m2zrvr13hs7rdn81bc6rgovernancevk974be3w8km5m2zrvr13hs7rdn81bc6ridentityvk974be3w8km5m2zrvr13hs7rdn81bc6rlatestvk974be3w8km5m2zrvr13hs7rdn81bc6rmulti-agentvk974be3w8km5m2zrvr13hs7rdn81bc6rsecurityvk974be3w8km5m2zrvr13hs7rdn81bc6rtrustvk974be3w8km5m2zrvr13hs7rdn81bc6r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🛡️ Clawdis
Binspython3, pip