Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Proprioception
v1.0.0Self-spatial awareness for AI agents. Gives your bot a real-time sixth sense of where it is relative to the user's goal, its own confidence boundaries, conve...
⭐ 0· 342·0 current·0 all-time
byJohn DeVere Cooley@jcools1977
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description, the CLI entrypoint (node script), and the sensor modules align: the package implements five local analysis sensors and a dashboard. Requiring node is coherent. However, the reference doc includes a 'Data Flywheel Potential' section describing aggregating telemetry across sessions — that capability is described but not implemented in the shown code. This is a minor inconsistency: it could be aspirational, but it raises a question about whether future/hidden code will collect or export telemetry.
Instruction Scope
SKILL.md and the scripts describe only local analysis of conversation text and producing alerts or an ASCII dashboard. The CLI interface accepts the conversation context and prior signals via arguments; there are no instructions in SKILL.md that ask the agent to read arbitrary system files, environment variables, or to call external endpoints. Based on the visible code, the runtime scope is limited to analyzing provided text.
Install Mechanism
No install spec is provided (instruction-only), which is low risk in general. However, the skill bundle contains several Node scripts that will be executed by the agent runtime (node required). Because there is no package-install step and no external download, there is no immediate network-based install risk — but the agent will execute bundled JS. Verify how your agent runtime executes skill code (sandboxing, permission model).
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The visible code does not read process.env or request credentials. This is proportional to a purely local text-analysis capability.
Persistence & Privilege
Skill flags are default (not always:true), and scripts shown do not modify other skills or global agent config. The code produces output and a dashboard but does not persist data or install background services in the provided files. Confirm how the agent runtime handles skill storage and logs.
What to consider before installing
What to check before installing:
- Review the omitted file (text-utils.js) and any other truncated/omitted files. Those utilities implement tokenization, similarity, and pattern counting — if they also include network calls, file writes, or telemetry hooks, that would change the assessment.
- Double-check there are no hidden network calls or use of process.env in the full codebase. The reference doc mentions a "Data Flywheel" (collecting aggregate telemetry). That is not present in the visible scripts, but if telemetry/upload code exists elsewhere it would be unexpected for a skill that claims “zero external API calls.”
- Confirm how your agent runtime executes skill code: is execution sandboxed, are filesystem and network accesses restricted? Running this skill in a restricted test environment first is prudent.
- If you plan to use this in production, ask the author for provenance (who published it) and for an explicit statement about data handling (no telemetry, no uploads, no logging outside the agent). The skill is coherent with its stated purpose, but the missing file and the 'data flywheel' language are reasons to verify there's no undeclared telemetry or side effects.Like a lobster shell, security has layers — review code before you run it.
latestvk974vd3tetshdh9w2a27sm8wz18222ve
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🧠 Clawdis
Binsnode