Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CodeConductor.ai
v1.0.1AI-powered platform for rapid full-stack app development, autonomous agents, workflow automation, and scalable product creation with low-code and AI integrat...
⭐ 0· 3k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name and capability list match (software/AI development persona). However, the SKILL.md repeatedly calls itself an "agentic AI platform" yet provides no integration points, endpoints, install steps, required credentials, or concrete capabilities. If this were truly a platform, one would expect API URLs, auth requirements, or install/config instructions; their absence is ambiguous (could be a harmless persona or incomplete/misleading documentation).
Instruction Scope
The runtime file is essentially a capabilities/profile list and contains no precise runtime constraints or allowed actions. It is open-ended and could be interpreted by an agent to take broad, unspecified actions (e.g., create autonomous agents, reach out to external services, or request credentials) because it contains language like "agentic AI platform" and "enabling autonomous AI agents" without guardrails. The SKILL.md does not instruct the agent to read any specific local files or env vars, but its vagueness grants broad discretion — this is a scope creep risk.
Install Mechanism
No install spec and no code files are present (instruction-only skill). This minimizes risk from arbitrary downloads or local execution since nothing will be written to disk by an installer.
Credentials
The skill requires no environment variables, binaries, or config paths. That is proportionate given the file is only a persona/instruction document. Note: because it promotes autonomous agent creation, watch for future prompts from the skill that might request credentials or tokens — none are declared here.
Persistence & Privilege
The skill does not request 'always: true' and uses default autonomous-invocation settings. Autonomous invocation is normal, but combined with the skill's agentic language this increases potential impact if the agent later takes actions to create/coordinate other agents or to request/handle secrets. No direct persistence or modification of other skills is requested.
What to consider before installing
This skill is essentially a marketing/persona sheet claiming to be a full "agentic AI platform" but it includes no implementation details, no endpoints, and no declared permissions — that mismatch is the main risk. Before installing or enabling it: (1) verify the publisher/source and prefer skills with a homepage or repo; (2) ask the author for a clear SKILL.md that lists allowed actions, required env vars, and any external endpoints; (3) never supply credentials or tokens unless the skill explicitly documents why they are needed; (4) test the skill in a restricted/sandboxed environment first and monitor what network calls or credential requests it makes; (5) prefer skills that are specific and prescriptive rather than vague marketing claims. If you need an AI development persona, consider one that documents exact capabilities and constraints.Like a lobster shell, security has layers — review code before you run it.
latestvk974kf0k26v1a3c2hw2b7794m9800s7dlatest Code Conductor SKILL CC aivk976nk3dwg594mw81ecrvbqm8x800m34
License
MIT-0
Free to use, modify, and redistribute. No attribution required.