Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Universal Occupation Adapter
v1.0.0通用职业适配器 —— 输入任何职业名称,自动生成完整的职业专用认知Skill,让SOUL哲学覆盖所有职业
⭐ 0· 58·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a Python class API (UniversalOccupationAdapter), install commands, auto-publish and batch-generate behaviors, and generation of new Skill packages — but the published bundle contains no code files or install spec. That mismatch (promised programmatic module + install but no code) is incoherent: either required code is missing or the documentation misrepresents what the skill actually provides.
Instruction Scope
Runtime instructions explicitly instruct web searches (Wikipedia/GitHub), file generation (SKILL.md/VERIFICATION_PROTOCOL/HEARTBEAT/README), self-verification, batch generation, and optional auto-publish to ClawHub. Those actions involve network access and creating/publishing artifacts. The instructions do not request credentials or explicitly limit destinations, so an agent following them could contact external sites and attempt to publish results without clear safeguards.
Install Mechanism
There is no install spec in the bundle (instruction-only), which is lowest technical risk. However the README/SKILL.md advertise 'clawhub install' and a cp-based manual install; because no install spec or packaged code exists, those commands are misleading and would fail or have unclear effects.
Credentials
The skill declares no required environment variables or credentials, yet its examples and features (auto_publish to ClawHub, GitHub/Wikipedia searches, potential API usage for verification/publishing) imply needing service credentials or tokens. The absence of declared credentials vs. implied external integrations is a mismatch that could lead to unexpected credential prompts or failures.
Persistence & Privilege
The skill does not request always-on presence and has defaults that allow user invocation and autonomous invocation. HEARTBEAT.md describes periodic checks for queued requests, implying background polling, but the bundle provides no mechanism to install such a daemon. No explicit system-wide privileges or modifications to other skills are requested.
What to consider before installing
This skill's documentation promises a Python API, automatic generation, verification, and publishing of new 'occupation' skills, but the package contains only instructions and templates — no executable code or declared credentials. Before installing or invoking it:
- Ask the author for the missing implementation (the UniversalOccupationAdapter module) or a clear disclaimer that the SKILL.md is a high-level spec only.
- Do not enable auto_publish/auto_verify or any batch auto-run flags until you know where outputs will be sent and whether publishing requires credentials.
- Expect the adapter to perform web searches and create files in the workspace; run it in a sandboxed environment or review generated files before publishing.
- If you intend to use publishing features (ClawHub/GitHub), require explicit documentation about what credentials are needed and how they are stored; prefer personal tokens with least privilege.
- If you need high assurance, request unit tests or an actual implementation package and review that code before granting network access or tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk971zsf4t6xvr3gm4e2s5kw13583yv7a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.