Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and the SKILL.md all describe an AI self‑improvement framework; required resources, dependencies, and absence of installs/credentials align with a conceptual/instructional skill.
Instruction Scope
Instructions tell the agent to '主动拉消息' (actively pull messages), '记录成长轨迹' (record growth/metrics), and to output confidence/uncertainty and log prediction vs actual results, but do not specify where/how data is stored, what endpoints to poll, or consent/retention policies. These open‑ended directives give the agent broad discretion to access external channels or persist user data, which is out of scope for a purely advisory skill unless boundaries are defined.
Install Mechanism
Instruction‑only skill with no install spec and no code files — low risk from installation artifacts.
Credentials
Skill requests no environment variables, no credentials, and no system paths. The declared dependent skills are plausible for a self‑improvement framework. There are no disproportionate secret requests.
Persistence & Privilege
always:false and no explicit persistent install. However, the SKILL.md explicitly encourages proactive polling and continuous self‑tracking; if the agent is permitted autonomous invocation or given connectors, that could enable background network activity or data collection. The skill itself does not request elevated platform privileges, but its behavioral guidance increases the effective blast radius if invoked autonomously.
What to consider before installing
This skill is conceptually coherent, but it instructs the agent to actively pull messages and to record/track outcomes without specifying storage, endpoints, or consent — that missing detail is the main risk. Before installing, ask the author: where will logs/records be stored, who can access them, which external endpoints (APIs, chat channels) may be polled, what retention/erase policies apply, and whether user consent is required for proactive polling. If you install it: keep autonomous invocation disabled (require explicit user invocation), deny or tightly scope any connector/network permissions, review the listed dependent skills for their runtime behaviors, and monitor what external requests the agent makes during initial use. If the author cannot provide clear, bounded answers about storage and network access, treat the skill as untrusted for sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk976jeg0b4663hcax5x8g36k2h84m620
License
MIT-0
Free to use, modify, and redistribute. No attribution required.