Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
MYR
v1.3.0Capture, verify, search, export, import, and synthesize Methodological Yield Reports to compound OODA cycle learnings across Starfighter/Pistis intelligence...
⭐ 0· 386·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (capture, verify, search, export/import, synthesize MYRs) matches the SKILL.md. All runtime instructions (key generation, signing, export/import, search, verification, server for peer sync) are consistent with an intelligence-compounding P2P node.
Instruction Scope
The SKILL.md instructs the agent/operator to run networked services, generate persistent keys/config, run multiple node scripts, and open services for peer sync. It recommends setting MYR_HOME, running npm scripts, starting an HTTP server, and creating a launchd plist for persistence. The server exposes discovery and announce endpoints with no auth and supports automatic peer sync—this broad network behavior increases risk of data leakage or unwanted connectivity. The instructions do not ask for unrelated system files or external credentials, but they do direct persistent, network-exposing actions that go beyond a purely local helper.
Install Mechanism
The recommended 'one-step' install uses piping a raw GitHub-hosted install.sh to bash (curl -fsSL https://raw.githubusercontent.com/... | bash), which executes remote code without local review. The manual install path uses git clone + npm install (which will pull third-party npm packages). No checksums, signatures, or pinned release artifacts are provided. These practices elevate risk compared to a reviewed package or signed release.
Credentials
The skill does not request external environment variables or credentials in metadata. It does instruct creation of local keys and writing node_uuid/node_id to config.json and recommends setting MYR_HOME. Those local artifacts are proportional to a P2P node, but storing keys/config on disk and advertising node_url publicly are sensitive and should be handled carefully.
Persistence & Privilege
The documentation explicitly instructs creating a persistent service (macOS launchd example) and running a long-lived HTTP server that peers can reach. While the skill is not force-installed (always:false), installing it as described creates persistent network-facing behavior which increases attack surface and exposure if the software or its dependencies are compromised.
What to consider before installing
This skill appears to do what it says, but it carries real operational risk. Before installing: (1) do NOT run the one-line curl | bash without review—download the install script and inspect it first; (2) prefer cloning the repository and auditing the code (especially install.sh and server/index.js) before npm install; (3) run initial tests in an isolated VM or container, not on a production host; (4) avoid exposing the node_url to the public internet—use Tailscale/VPN and firewall rules, and restrict inbound ports; (5) review how keys and config.json are stored and back up secrets securely; (6) require authenticated peer pairing where possible and be cautious about accepting peer announces—unauthenticated discovery can leak metadata; (7) request signed releases or checksums from the author if you need to deploy widely. If you cannot review the code or run it in isolation, consider treating this as untrusted software.Like a lobster shell, security has layers — review code before you run it.
latestvk9732bnthkvxyj7s2d3j238s7h83y42d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.