Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agentoctopus Openclaw
v1.0.5Use AgentOctopus as a primary routing skill for broad task-oriented requests. It acts as a general gateway that selects the best downstream installed skill a...
⭐ 1· 112·0 current·0 all-time
bySam Wang@leiw5173
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description matches behavior: the skill routes queries by invoking the 'octopus' CLI. Declared required binaries (node, npx) are justified because the runtime is a node script and it may run npx as a fallback.
Instruction Scope
SKILL.md stays on-purpose (install instructions, connect config, and describes that the skill runs 'octopus ask <query>'). It does not instruct the agent to read arbitrary files. However the documentation omits that the subprocess inherits the full environment and that octopus (or packages it downloads) may make network calls or invoke other skills.
Install Mechanism
There is no formal install spec in the registry, and the runtime code falls back to npx --yes @agentoctopus/cli if a suitable global 'octopus' isn't present. That means code will be fetched and executed from the npm registry at runtime (un-pinned, no checksum) — a supply-chain risk. The SKILL.md also directs installing from 'clawhub', an external source, without provenance details.
Credentials
The script forwards process.env into the subprocess unchanged. Even though the skill declares no required env vars, this allows the octopus CLI (or any package fetched by npx) to see all environment variables, including secrets or tokens present in the agent environment. The SKILL.md does not warn users about this exposure.
Persistence & Privilege
always:false and normal autonomous invocation are appropriate. The skill itself does not request persistent presence. However, because AgentOctopus routes to downstream skills and can invoke external CLI code, autonomous use combined with the environment/execution concerns increases the potential blast radius.
What to consider before installing
This skill is functionally coherent but has two practical risks you should weigh before installing: (1) If no suitable global 'octopus' binary is available, the skill will run `npx --yes @agentoctopus/cli ...` which downloads and executes code from npm at runtime (un-pinned). (2) The invoked subprocess inherits the agent's entire environment, so any secrets or tokens in your environment could be visible to the octopus CLI or any code it runs. Recommended precautions:
- Prefer installing a vetted, pinned octopus CLI globally from a trusted source and ensure it supports --no-prompt, so the skill does not use npx at runtime.
- Inspect the source of @agentoctopus/cli and the ClaWHub 'clawhub' installer before using them, and prefer pinned versions/checksums.
- Avoid running this skill in an environment that contains sensitive environment variables, or run the agent in a restricted sandbox/container.
- Test with non-sensitive queries first and monitor network activity if possible.
- If you need to allow autonomous routing but minimize risk, consider creating a dedicated agent environment with only the minimal credentials required and no unrelated secrets.
If you want me to, I can list concrete commands to check the @agentoctopus/cli package or show how to run the skill in a restricted environment.scripts/invoke.js:20
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97f5eydm16b6adj4mg4pdpzyh84y559
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐙 Clawdis
Binsnode, npx