ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meta Debugger

v1.0.0

AI-powered self-debugging system that identifies, analyzes, and fixes errors automatically. Learns from past errors, builds error patterns, generates fix sug...

0· 52·1 current·1 all-time
by@jason-aka-chen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (self-debugging, generate/apply fixes, learn from past errors) align with the code and SKILL.md. However, the Installation section suggests running `pip install json traceback ast`, which are Python stdlib modules and not pip packages — this is incoherent and unnecessary. That mismatch looks like sloppy documentation and reduces confidence in maintenance quality.
!
Instruction Scope
SKILL.md instructs the agent to analyze errors and to generate and apply fixes (code patches, configuration fixes, automatic application with rollback). Those capabilities are powerful: applying fixes autonomously can modify code or configs across the project. The documentation does not clearly constrain which files/paths may be changed, how patches are generated/applied, or what safeguards exist beyond a generic 'safe_mode' flag. This is scope-creep relative to simple error analysis and requires human review and sandboxing before use.
Install Mechanism
The registry shows no install spec (instruction-only plus a code file). That is lower risk because nothing is being automatically downloaded at install time. The one anomaly is the SKILL.md pip instruction to install standard-library modules — this is incorrect rather than malicious, but it is an incoherence that suggests the skill's documentation hasn't been reviewed.
Credentials
The skill requests no environment variables or external credentials, which is appropriate. The implementation sets a default storage path under the user's home (storage_path defaults to ~/.meta_debugger/<name>), so the skill will persist error and fix history locally; SKILL.md does not clearly document what user data (contexts, stack traces) will be recorded. Persisting contextual data may include sensitive inputs unless explicitly filtered.
Persistence & Privilege
The skill does not request 'always: true' and is user-invocable only. It does create a per-user storage path and keeps internal histories/patterns, which gives it ongoing local presence (data persisted to disk). That is not inherently malicious but should be considered when enabling auto_fix or using in production; the skill does not request system-wide privilege changes or modify other skills.
What to consider before installing
This skill appears to implement the advertised debugging and auto-fix features, but there are a few red flags to consider before installing or enabling autonomous fixes: - Do not enable auto_fix in production yet. Test in a controlled environment where file changes are reversible (use source control or a sandbox). The skill can generate and apply patches; you should confirm exactly which files it will touch. - The SKILL.md 'pip install json traceback ast' line is wrong — these are stdlib modules. Treat this as a sign the docs or packaging may be sloppy; request clarification from the author or inspect the code yourself. - Inspect the full meta_debugger.py implementation (especially apply_fix, generate_fixes, and any persistence code) to see whether it writes files, runs shell commands, or makes network calls. The provided file sets a default storage path (~/.meta_debugger) and records error/context history — ensure sensitive inputs are filtered or not stored if that matters to you. - If you plan to run with auto_fix=True or allow the agent to invoke the skill autonomously, restrict its permissions (run under a limited user) and ensure backups/CI checks are in place so accidental or incorrect patches can be detected and rolled back. - If you need higher assurance, ask the owner for: (1) the full source code and a description of how apply_fix modifies files, (2) whether any remote endpoints exist for logging/telemetry, and (3) explicit data-retention and filtering policies for recorded contexts. If those answers are not available, run only in development/sandbox.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e02s5p533nqqeb8s3jp8e7583dr3m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments