ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Recruiter

v2.0.0

招聘 Agent 工具 - 创建、配置和管理 OpenClaw Agent。 参考 [agency-agents](https://github.com/msitarzewski/agency-agents) 的专业 agent 模板结构。 **当以下情况时使用此 Skill**: (1) 需要创建新的 Agen...

0· 223·1 current·1 all-time
by@junchen19
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the included files and script: it creates agent directories, generates agent.json, updates openclaw.json and restarts the gateway. However, the package metadata claims no required binaries while the runtime script expects node and the openclaw CLI to be present; that mismatch should be fixed or disclosed.
!
Instruction Scope
SKILL.md and scripts instruct the agent to read and modify user configuration under ~/.openclaw, copy models.json and auth-profiles.json from existing agents, and restart the gateway. These actions are in-scope for agent creation but include copying auth-profiles.json (which may contain secrets) and performing system-wide changes (openclaw.json modification and gateway restart) without explicit safeguards.
Install Mechanism
This is an instruction-only skill with an included shell script and templates — there is no external download or package installation. No high-risk installers or remote URLs are used in the files provided.
!
Credentials
The skill declares no required environment variables or credentials, but it will copy auth-profiles.json from another agent if present. That file is likely to contain authentication information; duplicating it into new agent directories can spread sensitive credentials. Also the script uses node and openclaw binaries but does not declare them as required.
Persistence & Privilege
The skill does not request always:true or any special platform privileges. It does modify OpenClaw configuration files and restarts the gateway (normal for this purpose), which is an expected level of system change for an agent-creation tool.
What to consider before installing
This skill appears to implement an agent-creation workflow, but take these precautions before installing or running it: - Verify prerequisites: ensure node and the openclaw CLI are installed; the script calls `node -e` and `openclaw gateway restart` but the skill metadata lists no required binaries. - Backup before running: save a copy of ~/.openclaw/openclaw.json (and any other config) so you can restore if changes are unintended. - Inspect auth-profiles.json: the script may copy ~/.openclaw/agents/mike/agent/auth-profiles.json into the new agent; review that file for API keys or secrets and decide whether you want to duplicate those credentials. - Dry run / test with non-sensitive data: try creating a test agent id and verify outcome before using real group IDs or production model/auth files. - Confirm restart impact: restarting the gateway affects all agents; schedule the operation to avoid disrupting live workflows. If you want this skill to be less risky, ask the maintainer to: (1) declare required binaries (node, openclaw), (2) add an explicit prompt/confirmation before copying auth files, and (3) provide a dry-run mode and safer handling of secrets.

Like a lobster shell, security has layers — review code before you run it.

latestvk975rs7t6014xkd7zpp4by87ps831ehj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments