ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Concurrent Process Algebra for AI Agents

v2.0.0

Manage AI agent workflows using concurrent process algebra patterns like parallel tasks, branch-fix loops, fan-out comparisons, and session status tracking.

0· 60·0 current·0 all-time
byJosé I. O.@jose-compu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe multi-agent orchestration and the SKILL.md provides operators (saga, invertible, converse, guard, etc.) and JSON command shapes that match that purpose. Requesting an OpenClaw Gateway and session context (appendEvent) is consistent with an OpenClaw integration. However, asking the user to install an external npm package ('cpa-agents') is a notable dependency that is not bundled or verified by the skill manifest; the skill metadata lacks a homepage or source to justify that dependency.
Instruction Scope
The runtime instructions stay within the stated domain (workflow operators, commands like parallel/branch-fix/fan-out/status). They do not instruct reading arbitrary system files, exfiltrating data, or accessing unrelated environment variables. The only out-of-band action is the explicit 'npm install cpa-agents' instruction, which extends the skill's runtime behavior to code downloaded from the npm ecosystem.
!
Install Mechanism
The skill is instruction-only (no install spec), yet directs users to run 'npm install cpa-agents'. There is no provided provenance, homepage, or source repository for that package in the skill metadata. Installing an unvetted npm package can introduce postinstall scripts, remote code execution, or supply-chain compromise. The lack of an official install specification or known release host increases the risk.
Credentials
The skill does not declare or require any environment variables, credentials, or config paths. Its stated runtime needs (OpenClaw Gateway and a session context providing appendEvent) are proportional to the orchestration purpose and are not excessive.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges in the manifest. It does not instruct modifying other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.
What to consider before installing
This skill appears to do what it says (CPA-based agent orchestration) but it tells you to 'npm install cpa-agents' while providing no homepage, source repo, or provenance. Before installing or running it: 1) Verify the 'cpa-agents' package on the npm registry (owner, publish history, recent versions, maintainers). 2) Inspect the package contents and postinstall scripts (prefer cloning the repo or reviewing source before installing). 3) Run the package in an isolated environment (container or sandbox) first. 4) Ask the skill author for the source repository, changelog, and security contact; prefer skills that include a vetted install spec or published releases on a known host. 5) Ensure OpenClaw Gateway/session contexts are isolated from secrets and production systems while testing. If you cannot verify the package/source, treat this as untrusted and avoid installing it in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk971z621a49q59jxs5wac7h5ex84qxfy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments