Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Forge
v2.3.0Create, build, review, repair, and validate complete Agent Skill packages through a six-phase pipeline, outputting finished installable skill files.
⭐ 0· 47·0 current·0 all-time
byIndigo Karasu@indigokarasu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name, description, SKILL.md, README, and skill.json consistently describe a skill-authoring/builder that reads intake files and writes build artifacts and journals. Declared filesystem read/write permissions (~/openclaw/data/ocas-forge and journals) align with the described behavior. No unrelated env vars, binaries, or external credentials are requested.
Instruction Scope
SKILL.md explicitly instructs processing intake files, running a six-phase build pipeline, writing finished installable packages, and persisting journals and logs under ~/openclaw. It does not instruct reading unrelated system files or exfiltrating secrets. Important caveat: Forge's default behavior is to output complete installable package file contents — this is a high-impact side effect (it will create code/assets that could later be executed if installed). The SKILL.md also mentions self-updates from GitHub and scheduled jobs, which implies network operations even though no network credentials are declared.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code to run. No downloads, archives, or external package installs are declared, which minimizes install-time risk.
Credentials
The skill requests no environment variables or credentials and only the narrow filesystem access to its own data and journals directories. That access is proportionate to a component that persists intake files, build logs, and journals.
Persistence & Privilege
always:false (not force-included) and autonomous invocation is allowed (default). Autonomous operation combined with the capability to generate full installable packages and schedule self-updates increases the operational impact if misused. Forge claims heartbeat/cron registration for intake and self-update — these behaviors should be reviewed in deployment policy, but they are not inherently inconsistent with the stated purpose.
Assessment
Forge is coherent for its purpose: it will build and write complete, installable skill packages and keep logs/journals under ~/openclaw. Before installing or enabling it, consider: (1) Require manual review/approval of any package Forge produces before installation — do not auto-install outputs. (2) Restrict or monitor its filesystem and network capabilities if your environment allows policy controls (prevent writing to unexpected locations or pulling arbitrary GitHub code). (3) Vet the upstream GitHub source the skill references if you allow its self-update feature. (4) Monitor journals/decisions files it writes and intake processing to ensure it only processes expected Mentor proposals. These controls will reduce risk from legitimately powerful but high-impact behavior. If you want lower risk, run Forge in an isolated/test environment and inspect build outputs before trusting them in production.Like a lobster shell, security has layers — review code before you run it.
latestvk97e3yseca4gh1nxy82jmsq3qx83sq9w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.