Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Company Governance
v3.1.0AI Company 统一治理技能包 — 将 21 个 ai-company 系列技能融合为单一标准化、模块化、通用化的治理框架。 包含 C-Suite Agent 体系(CEO/CFO/CMO/CHO/CPO/CLO/CTO/CQO/CISO/CRO/COO)、 Hub-and-Spoke 架构、Orchest...
⭐ 1· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's purpose (company governance/orchestration) matches the content of the SKILL.md and reference files. However, SKILL.md repeatedly references local artifacts (config.yaml, agent-registry.json, knowledge-base/, audit/ directories, ceo-decisions/, etc.) while the registry metadata reports no required config paths or environment variables. That mismatch (expects workspace files but declares none) is an incoherence you should clarify.
Instruction Scope
The instructions are detailed and scoped to governance tasks (session_send message format, audit logging, CI/CD for prompts, agent registration, guardrails). They do instruct reading and writing structured local files and using sessions_send for cross-agent calls, which is consistent with an orchestration/gov skill. The SKILL.md does not instruct reading obvious system secrets (e.g., ~/.ssh or ~/.aws) and contains explicit 'vetter' checklist language prohibiting such actions.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing is downloaded or extracted.
Credentials
The skill declares no required env vars or primary credential (proportionate for a docs-only governance framework). However, the API spec reserves external integration hooks (REST/Webhook/MCP) which would normally require credentials at deployment time; the skill does not declare those. Also the skill allows external-notifier middleware and mentions external configs — you should expect to provide any needed API keys yourself if you enable integrations.
Persistence & Privilege
always: false and no explicit requests to persist configuration beyond writing its own audit/log files. The skill's allowed-tools list includes write/read so it can create its own knowledge-base and audit logs; that is consistent with its stated purpose, but writing to arbitrary paths should be limited to the workspace/specified directories.
What to consider before installing
Before installing: 1) Confirm where config.yaml, agent-registry.json, and knowledge-base/audit directories will live and whether the skill may create/overwrite them — require explicit file paths or a sandbox workspace. 2) Limit the skill's runtime tool permissions if possible (restrict exec access or limit which commands it may run). 3) If you plan to enable external integrations (webhooks/REST), provide credentials separately and only for the minimal scopes required. 4) Review and test in an isolated environment to confirm audit-log behavior and ensure no unexpected reads of system secrets. 5) Ask the publisher to update metadata to declare required config paths and any env vars expected at runtime — the current mismatch is the primary red flag.Like a lobster shell, security has layers — review code before you run it.
ai-companyvk974f992wzycs34nvweyms4z4984rvfyauditvk974f992wzycs34nvweyms4z4984rvfyauto-recruitvk9753jpqwykp9tepr1321msavd84m8rhc-suitevk9753jpqwykp9tepr1321msavd84m8rhc-suite-protocolvk974f992wzycs34nvweyms4z4984rvfygovernancevk974f992wzycs34nvweyms4z4984rvfylatestvk976v4kqb39zt9cqj0fkdb91j184t8qxmainvk9753jpqwykp9tepr1321msavd84m8rhnist-ai-rmfvk974f992wzycs34nvweyms4z4984rvfyregistryvk974f992wzycs34nvweyms4z4984rvfy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.