ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Foundry

v0.1.0

Self-writing meta-extension that forges new capabilities — researches docs, writes extensions, tools, hooks, and skills

0· 2.8k·8 current·9 all-time
by@lekt9
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (a meta-extension that researches and writes extensions) is coherent with instructions to run 'openclaw plugins install @getfoundry/foundry-openclaw' and to write to ~/.openclaw/extensions/foundry/. Requiring node is reasonable. However, the manifest declares no required config paths or credentials while the SKILL.md instructs writing into ~/.openclaw and mentions publishing to a marketplace — a capability that normally needs tokens/credentials. This mismatch is noteworthy.
!
Instruction Scope
SKILL.md directs the agent to download and install an npm plugin, edit ~/.openclaw/openclaw.json, and restart the gateway. It also describes network research (docs, GitHub, arXiv) and self-modifying behavior (foundry_extend_self, autoLearn, autoPublish). These are powerful, cross-cutting actions (writing to user config, fetching arbitrary network content, self-modification). The security section claims blocks (child_process, eval, ~/.ssh, ~/.aws) and user review before disk writes, but those are policy claims inside instructions — the skill itself cannot enforce them. The instructions give the agent authority to add code/plugins to the environment, which expands its attack surface.
!
Install Mechanism
There is no install spec embedded in the skill; instead the SKILL.md tells the agent to install an npm package via 'openclaw plugins install', which will download and extract code from npm into the user's home directory and restart the gateway. Installing a third-party npm package is expected for an extension but is high-risk here because there is no code included for review, no pinned release URL, and the skill's claims about sandboxing and blocking dangerous APIs cannot be validated from this manifest.
!
Credentials
The registry metadata lists no required environment variables or config paths, yet SKILL.md expects to read/write ~/.openclaw configuration and to potentially publish to a marketplace or access GitHub/arXiv. Publishing or accessing private GitHub/npm/repos typically requires credentials (tokens) that are not declared. The absence of declared credentials while describing networked read/write/publish capabilities is a proportionality mismatch and a red flag.
!
Persistence & Privilege
always:false (good), but the skill explicitly instructs installing an extension that writes to ~/.openclaw and restarts the gateway and that can self-modify and auto-learn — persistent, system-level changes to the agent environment. These capabilities are powerful; combined with autonomous invocation (platform default) they increase the blast radius. The SKILL.md's promise of user review before disk writes mitigates risk only if actually enforced by the user or platform; it's not enforceable from the instruction file alone.
What to consider before installing
This skill asks the agent to install a third-party npm plugin that will be extracted into ~/.openclaw and can self-modify and publish new capabilities. The SKILL.md makes safety claims (blocking child_process/eval, sandboxing, user review) but those are unverified. Before installing: 1) Inspect the remote repository and the exact npm package version (github:lekt9/openclaw-foundry) — review the code yourself or have a trusted reviewer do so. 2) Prefer manual installation: run the openclaw plugins install command yourself in a controlled environment, not via an autonomous agent. 3) Back up ~/.openclaw/openclaw.json and disable autoLearn/autoPublish in config (set to false) until you trust the code. 4) If possible, install and test inside an isolated VM/container or ephemeral account. 5) Require and verify any publishing or GitHub/npm tokens; do not grant broad credentials. 6) If you want stricter safety, avoid enabling autonomous invocation for this skill or limit its permissions until you've audited the plugin. If you cannot review the plugin code, treat this skill as high-risk and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk972z6av5g1pe3em5p0cj2yyss80a102

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode

Comments