ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

objection

v1.0.0

Activate this skill whenever the user asks you to "find problems," "poke holes," "stress test," "play devil's advocate," "be critical," "challenge this," "fi...

0· 60·0 current·0 all-time
by马龙@long1973m
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (registry: 'objection') and the SKILL.md's internal name ('dissent') differ, but both describe the same adversarial-review intent. The required capabilities declared (none) are plausible for a purely rhetorical adversarial-review skill. Minor incoherence: package name vs internal name — likely benign but should be fixed for clarity.
!
Instruction Scope
The SKILL.md mandates exhaustive verification (e.g., "Run it. Test it. Trace the logic step by step.") and forbids hedging. However it gives no bounds or mechanism for execution, and does not explicitly constrain what resources the agent may access to perform those verifications. That ambiguity could cause the agent to attempt actions beyond the user's intent (running code, contacting external services, reading files) or to request credentials without explicit justification.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest installation risk. Nothing is written to disk by the skill bundle itself.
Credentials
The skill declares no environment variables or credentials (proportional). However, the instructions demand active verification that in practice may require credentials, binaries, or filesystem access (e.g., to run tests against real systems). The lack of declared required resources leaves a gap: the skill may prompt the agent to request extra access at runtime.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request persistent system presence or modify other skills. No privilege escalation indicators in metadata.
What to consider before installing
This is an instruction-only 'dissent' skill whose goal is legitimate (find problems) and which has no install or credential requests — but its runtime mandates are absolutist and underspecified. Before installing or enabling it broadly, consider: 1) Fix the naming mismatch (objection vs dissent) and ask the author to clarify allowed verification actions. 2) Require explicit boundaries in SKILL.md: what the agent is permitted to run, what paths/services are off-limits, and whether it may request credentials. 3) If you let it run, use it in a controlled context (non-production data/sandboxed execution) so any suggested 'run' or 'test' steps cannot accidentally leak secrets or modify systems. 4) Be prepared for the agent to ask for additional permissions (access to repos, test accounts, or API keys) to perform the verifications it demands — only grant those on a case-by-case, minimal-needed basis. If you need stricter guarantees, ask the skill author to add explicit verification procedures and allowed tools rather than leaving them to agent discretion.

Like a lobster shell, security has layers — review code before you run it.

latestvk973tc8etkvvfmasb6d15fsp5h843htq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments