ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ResonanceEngine

v0.1.0

Conversational Frequency Matching — reads invisible micro-signals in every conversation and tells the bot exactly how to respond for maximum engagement, conv...

0· 309·0 current·0 all-time
byJohn DeVere Cooley@jcools1977
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (resonance, engagement, conversion) matches the included Python implementation: signal extraction, frequency computation, tuning recommendations, and yield prediction. No unrelated credentials, binaries, or platform access are requested.
!
Instruction Scope
The SKILL.md and code explicitly produce ready-to-inject prompt fragments (TuningRecommendation.to_prompt_injection()) and instruct integrators to append those fragments to the bot's system prompt. That behavior is consistent with the skill's goal but is a sensitive capability (it can alter model behavior and potentially override safety or policy prompts). The SKILL.md does not caution about safeguarding system-level instructions or preserving existing safety/guardrails.
Install Mechanism
The registry lists no install spec (instruction-only), but SKILL.md suggests 'pip install openpaw' or cloning a GitHub repo. The code is bundled in the skill archive so execution doesn't require network installs; if you choose to 'pip install' or clone, verify the package/source first (the example GitHub URL in SKILL.md has a trailing hyphen and may not be authoritative). No download-from-arbitrary-URL patterns appear in the code.
Credentials
The skill requires no environment variables, no credentials, and does not read external config paths. All data handling is local to conversation text, consistent with its stated purpose.
Persistence & Privilege
The skill is not marked 'always: true' and does not request elevated platform privileges or attempt to modify other skills' configurations. It simply exposes an API (engine.analyze) and returns tuning recommendations — normal for this class of skill.
Assessment
This package appears to implement what it claims: algorithmic analysis of conversation text and generation of tuning instructions. Before installing or deploying: 1) Review and test the code locally (the skill ships source and tests) to verify behavior. 2) Be cautious about using result.recommendation.to_prompt_injection() to automatically mutate your system prompt — that is effectively a prompt-injection primitive and can change model behavior or bypass safety rules; instead, manually review or sandbox injected fragments and ensure your safety/policy prompts remain authoritative. 3) If you plan to pip install from PyPI or clone the GitHub repo, verify the package name and repository (the SKILL.md example repo URL looks possibly malformed). 4) Consider legal/ethical implications of deploying automated persuasion/monetization logic (consent, transparency, regulated domains). 5) If you need stronger assurance, run the included tests and consider a security review or running the code in a restricted environment before production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk973m51c30bfkssgz3md0kkd3d8235s3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments