Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Adaptive Suite.Bak
v1.0.0A continuously adaptive skill suite that empowers Clawdbot to act as a versatile coder, business analyst, project manager, web developer, data analyst, and N...
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to be a broad 'adaptive suite' (coding, data, PM, NAS scraping). The SKILL.md's embedded metadata requires binaries (python, node, curl, sqlite3) and an env var (FREE_API_KEYS) which are not declared in the registry metadata. The NAS metadata scraper capability implies filesystem access to scan NAS directories; that capability is not reflected in the registry requirements. These mismatches reduce confidence that requested capabilities are proportionate and documented.
Instruction Scope
The runtime instructions ask the agent to 'continuously search' the web, 'continuously learn' from user interactions, and to 'compile a localized desktop app' that scans NAS directories and collects file names and metadata (read-only). The SKILL.md does not define what happens to collected metadata (where it is stored/transmitted), what endpoints are contacted, nor explicit user-consent or sandboxing behavior. 'Continuously' and 'compile' are vague and could permit repeated network activity or generation/execution of code that touches local files.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no package download or archive extraction risk. That reduces supply-chain risk compared with skills that fetch and install binaries. However, the instructions expect runtime use of system binaries (python/node/curl/sqlite3), which could execute arbitrary commands when the agent follows the SKILL.md.
Credentials
SKILL.md declares an env var FREE_API_KEYS (and required binaries) but the registry entry lists no required env/binaries. FREE_API_KEYS is ambiguous: it could be benign (a place to store test keys) or could be used to hold multiple service credentials that the skill will use or aggregate. No other credentials are requested, which is not excessive, but the mismatch between declared requirements and runtime metadata is concerning and unexplained.
Persistence & Privilege
The skill is not marked always:true and is user-invocable (normal). However, the SKILL.md repeatedly instructs 'continuously' learning and searching. If the agent is allowed autonomous invocation (default), this could result in repeated background actions such as web crawling or repeated local scans. The skill does not request persistent installation, but its behavioral goal (continuous/adaptive) increases the operational footprint if used autonomously.
What to consider before installing
Before installing or enabling this skill, ask the author to clarify and align the documented requirements and runtime behavior: (1) fix the metadata mismatch — explicitly declare required binaries (python/node/curl/sqlite3) and the purpose of FREE_API_KEYS or remove it; (2) require an explicit, scoped consent step before any local NAS scanning and define precisely which paths are safe to scan; (3) require an explicit data-handling policy: where scanned metadata is stored, whether it will be transmitted off-machine, and to which endpoints; (4) restrict autonomous invocation or disable continuous/background operation unless you explicitly opt in; (5) if you allow the skill to generate or compile code, run that in a sandbox and review code before execution; and (6) prefer least-privilege (limit network access and filesystem scope) and avoid providing any real secrets until you understand exactly how they will be used. If the publisher cannot or will not provide these clarifications, treat the skill as potentially risky and avoid granting filesystem/network access or sensitive keys.Like a lobster shell, security has layers — review code before you run it.
latestvk97b2n53nf4hw84vgkawjs4fm183y8cr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.