Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Prompt Builder
v1.0.0Stop writing system prompts by hand — let structured identity generate them automatically from beliefs and responsibilities
⭐ 0· 65·0 current·0 all-time
byLiveNeon.ai@liveneon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (automatically building system prompts from structured beliefs/responsibilities via Live Neon) is coherent with the SKILL.md instructions that call the Live Neon API. However the registry metadata lists no required environment variables or binaries while the SKILL.md clearly expects an API token (LIVE_NEON_TOKEN), a base URL (LIVE_NEON_BASE), and utilities (curl, jq). The missing declarations are an inconsistency that reduces trustworthiness.
Instruction Scope
The runtime instructions direct the agent to register, set a bearer token, call many API endpoints (/agents/*/resolved-identity, /sync, /discover, /observe, etc.), and to report observations about the agent's own behaviour. Those actions will transmit agent identities, content sources, and behavioural observations to an external service — potentially including user data or sensitive prompts. This is within the claimed feature set but expands the skill's scope to act as a data-export pipeline and should be considered sensitive.
Install Mechanism
There is no install spec and no code files (instruction-only), which minimizes disk-side risk. The SKILL.md frontmatter lists dependencies (curl, jq) — reasonable for the shown curl examples — but the registry metadata did not declare those required binaries. No arbitrary downloads or archives are present.
Credentials
The SKILL.md requires an API token (LIVE_NEON_TOKEN) and a base URL (LIVE_NEON_BASE). Those are sensitive credentials but are proportionate to a remote service integration — the problem is the registry metadata did not declare them. The skill also instructs uploading observations and content sources; that capability can expose prompts, user messages, or other sensitive data. The combination of undeclared sensitive env vars and data-upload instructions is disproportionate to the absence of metadata.
Persistence & Privilege
always is false and the skill is user-invocable; model invocation is allowed (default) which is normal. Because it is instruction-only, it does not request permanent installation. However, allowing the agent to autonomously call an external API and upload identity/observations increases blast radius if a token is supplied, so the usual caution about credential scope and monitoring applies.
What to consider before installing
This skill implements a remote prompt-management service and its instructions will cause the agent to register and send structured identity, content-source info, and behavioural observations to https://persona.liveneon.ai. Before installing: (1) confirm the registry metadata is corrected — the SKILL.md expects LIVE_NEON_TOKEN and LIVE_NEON_BASE and utilities (curl, jq); (2) only provision a token with the minimum scope needed and never use personal or high-privilege org credentials; (3) decide whether you are comfortable with prompts, agent observations, or uploaded content leaving your environment; (4) review Live Neon’s privacy/security policy and retention rules; (5) test in an isolated/non-production environment first; and (6) ask the publisher to fix the metadata mismatch and to document exactly what data the /observe, /discover, and /sync endpoints will receive and store.Like a lobster shell, security has layers — review code before you run it.
latestvk97aw9akpdz1z62ze6nt7c9dbd83spaf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.