Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI Growth Engine
v1.0.0AI成长引擎 —— 通用自我迭代框架,回顾→提取模式→调参→验证→记录,任何Agent/职业都可用的成长操作系统
⭐ 0· 130·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md advertises a concrete Python API (AIGrowthEngine class, methods like configure, run_rapvl_round, growth_history) and explicit outputs (growth_reports/*.json). However, the skill bundle contains only documentation files (SKILL.md, README, VERIFICATION_PROTOCOL.md, HEARTBEAT.md) and no code files or declared install steps. That means the claimed runtime capabilities are not present in this package — either the skill is purely an instruction/template or it expects an external package to be installed. This disconnect is disproportionate to the stated purpose and should be clarified.
Instruction Scope
The instructions themselves are domain-focused (RAPVL loop, metrics, file paths for reports and history) and don't ask the agent to access unrelated credentials or system-wide secrets. They do assume the ability to read/write workspace files and to call a Python module. Because no implementation is included, the SKILL.md may implicitly require installation of external code or creation of files; verify where that code would come from and whether it will write to your workspace or other paths.
Install Mechanism
No install spec is provided inside the skill bundle despite the README/SKILL.md showing an install command (clawhub install ai-growth-engine) and import examples. That suggests installation relies on an external registry or repository. Without an install specification or included code, it's unclear what 'clawhub install' would fetch (which URL, which release, what code). This gap increases risk because arbitrary code could be pulled at install time.
Credentials
The skill does not request any environment variables, credentials, or special config paths. The lack of requested secrets is proportionate to the stated purpose (tracking/metrics and local reports).
Persistence & Privilege
The skill describes persistent outputs (growth_reports, history files) and automated triggers (daily runs, every-10-round reports). always is false and autonomous invocation is allowed by default. This is not inherently problematic, but you should expect the skill (or the external code it installs) to read and write files in the agent workspace and possibly run periodic tasks; verify what will be persisted and whether those files could contain sensitive data.
What to consider before installing
This package looks like documentation and an API spec rather than runnable code. Before installing or running it: 1) Confirm the actual code source — inspect the referenced GitHub repo (https://github.com/KingOfZhao/AGI_PROJECT) or the registry entry that 'clawhub install' would pull from; do not run an installer that downloads unknown archives. 2) If you intend to use it, review the implementation code for any network calls, telemetry, or unexpected file system operations. 3) Be aware the skill expects to write reports/history to your workspace — avoid using sensitive directories, or run it in an isolated workspace/container. 4) If you're uncertain about the provenance, treat this as documentation-only (implement the logic yourself) rather than blindly installing external code. Verifying the actual package contents and install URL would change this assessment to benign if they match the described API and are from a trusted source.Like a lobster shell, security has layers — review code before you run it.
latestvk975fjdz7eh80gbn82k85na2a583ye82
License
MIT-0
Free to use, modify, and redistribute. No attribution required.