ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Jumpstart

v1.0.1

Sets up and manages a long-running agent harness for complex, multi-session coding projects. Use this skill whenever a user invokes jumpstart, jumpsession, j...

0· 74·0 current·0 all-time
by@kzac313
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match what the SKILL.md instructs: scaffolding feature_list.json, progress logs, init script, and running session loops. The skill needs access to the repository (read/write) and to run shell/git commands — these are proportional to its purpose.
Instruction Scope
Instructions are focused on reading three design files, creating scaffold files, running the project init script, and using git for commits and logs. They do instruct the agent to modify the repository (create files, commit changes) which is expected for this harness; there are no instructions to read unrelated system files, environment secrets, or to exfiltrate data.
Install Mechanism
Instruction-only skill with no install spec and no code files. Nothing is downloaded or written by an installer, so install-mechanism risk is minimal.
Credentials
The skill declares no required environment variables, binaries, or config paths. The actions it performs (file reads/writes, git commands, running init.sh) match that declaration; no unexplained credential access is requested.
Persistence & Privilege
always is false (normal). The skill permits autonomous invocation (platform default) and its runtime instructions let an agent modify the repo and commit changes — this is coherent with the harness purpose but increases blast radius if the agent is allowed to run unsupervised. No indication it alters other skills or system-wide settings.
Assessment
This skill is internally consistent with its stated purpose, but it grants an agent the ability to modify your repository and run project scripts. Before installing or invoking it: (1) run it on an isolated/test repository (no secrets, no production data), (2) remove or lock remote git remotes if you do not want automatic pushes, (3) review any generated init.sh and feature_list.json before executing them, (4) require human checkpoints for critical milestones or disable autonomous invocation until you are comfortable, and (5) inspect the full (untruncated) jumpsession prompt to confirm it does not run unexpected commands (e.g., git push, network uploads). If you need lower risk, run jumpstart manually rather than allowing the agent to run jumpsession/jumploop autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vdqcwbakz4mdrxcpqys9ts84fp2n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments