ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Creative Lateral Thinking

v1.0.0

创意横向思维 Skill —— 打破线性推理的创意碰撞框架,六顶思考帽×四向碰撞×跨界类比引擎

0· 83·1 current·1 all-time
by@kingofzhao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a concrete Python API (from skills.creative_lateral_thinking import CreativeLateralThinking) and an install command (clawhub install creative-lateral-thinking), implying a packaged implementation. The registry entry and file manifest contain only documentation files (README, SKILL.md, HEARTBEAT.md, VERIFICATION_PROTOCOL.md) and no code files or install specification. This mismatch (documented runtime API vs. no implementation) is an incoherence that could indicate an incomplete or misleading package.
Instruction Scope
The runtime instructions themselves are limited to creative thinking patterns and example Python calls — they do not instruct the agent to read arbitrary system files, access credentials, or exfiltrate data. However, they assume the existence of a local Python module with methods that are not present in the package, which could lead an agent to attempt to fetch/install unknown code from other sources or the registry.
Install Mechanism
There is no install spec in the package and no code to install. The README and SKILL.md reference 'clawhub install creative-lateral-thinking', but because no install instructions or artifacts are packaged here, the actual effect of that command is undefined. This is not itself high-risk, but is inconsistent and could cause the client to download external artifacts at install time — verify the registry/remote package source before allowing install actions.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The SKILL.md does not reference any secrets or system credentials. From the provided files, there is no evidence it requests disproportionate access to environment or credentials.
Persistence & Privilege
The skill does not request always: true and uses default invocation settings. There is no evidence in the package that it modifies other skills or system-wide settings. Persistence/privilege concerns are minimal based on the provided metadata.
What to consider before installing
This package looks like documentation for a creative-thinking skill but lacks the actual implementation it advertises. Before installing or invoking it: 1) Check the referenced homepage/repo (https://github.com/KingOfZhao/AGI_PROJECT) to confirm a published package/artifacts and review the actual code. 2) If 'clawhub install' would fetch a remote package, inspect the package tarball or source first (look for a skills/creative_lateral_thinking module and its code). 3) Avoid running the install in a privileged environment; use an isolated sandbox. 4) If you need the capability, request the author or publisher to supply the implementation files or a clear install spec. 5) Do not grant any secrets or elevated permissions unless you can review the code that will be executed. The main risk here is misleading/incomplete packaging rather than explicit malicious behavior, but that ambiguity warrants caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk978vcgssj8vwkh1x37e9yvve983zpv7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments