Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Identity Evolution
v1.0.0Watch your agent's identity evolve from its own experience — continuous discovery, genome snapshots, and growth tracking
⭐ 0· 53·0 current·0 all-time
byLiveNeon.ai@liveneon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (continuous identity evolution via a remote Live Neon platform) reasonably requires API access and tokens, and to connect content sources like GitHub/Twitter. However, the registry metadata declares no required environment variables or primary credential even though the SKILL.md shows explicit instructions to obtain and set LIVE_NEON_TOKEN/LIVE_NEON_BASE. That mismatch (claimed integration but missing declared creds) is disproportionate and inconsistent.
Instruction Scope
The SKILL.md instructs agents to register, set a token, sync content sources (GitHub, websites, RSS, Twitter, LinkedIn, uploads), run discovery, and explicitly 'observe' and report the agent's own behavior. Those instructions enable sending conversation/behavior data and other observations to an external third party. The guidance is broad ("feed it content", "report an observation") and could lead to transmission of sensitive or private conversation contents; it also references hourly auto-sync and organization-level consensus detection, increasing the scope of what might be shared.
Install Mechanism
This is instruction-only (no install spec, no code files), which minimizes direct disk-write/remote-install risk. The declared runtime dependencies (curl, jq) are reasonable for an integration that makes HTTP calls and parses JSON.
Credentials
Although the instructions require a bearer token (LIVE_NEON_TOKEN) and a base URL, the skill metadata lists no required env vars or primary credential. Also, the described connectors (GitHub, Twitter, LinkedIn) imply additional credentials or OAuth flows that are not declared. Requesting or encouraging storage of tokens without declaring them in the manifest is a proportionality and transparency problem and increases risk of unnoticed credential use or leakage.
Persistence & Privilege
The skill is not marked always:true and is user-invocable (normal). However, because it enables automated syncing and reporting of agent observations to an external service, allowing the agent to invoke this skill autonomously increases the blast radius: the agent could periodically transmit data without explicit per-message consent. Autonomous invocation alone is not a disqualifier, but combined with the instruction scope and missing credential declarations it raises privacy/privilege concerns.
What to consider before installing
Before installing or invoking this skill, consider that it is designed to send your agent's behavior, observations, and connected-source content to a third-party service (persona.liveneon.ai). Ask the author to: (1) declare required env vars / primary credential in the manifest (e.g., LIVE_NEON_TOKEN), (2) explain exactly what data 'observe' and sync operations will transmit and how long it's retained, and (3) provide privacy/security docs (data handling, retention, access controls). If you proceed: don't register with or store a token that has access to sensitive org data; avoid connecting high-privilege accounts (GitHub orgs, private repos, Slack, email); disable autonomous invocation or require manual confirmation for sync/observe actions; monitor network activity and tokens issued; and prefer a test/org-limited account until you can verify behavior. If you cannot obtain clear answers, consider this skill risky for any environment with private or sensitive conversations.Like a lobster shell, security has layers — review code before you run it.
latestvk977z03v2yvhrskfk8xpzshtkx83sc18
License
MIT-0
Free to use, modify, and redistribute. No attribution required.