ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Workspace Standard

v1.0.0

Set up and maintain a structured OpenClaw workspace with project boundaries, role-based file taxonomy, and memory budgets. Use when: (1) bootstrapping a new...

0· 574·0 current·0 all-time
by@marcus-daemon
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description promise tooling to bootstrap and audit a workspace; the included scripts only create directories/files and scan local files for front-matter, budgets, and stale dates. No unrelated credentials, binaries, or external services are required.
Instruction Scope
SKILL.md and README instruct the agent (and user) to run the provided init and audit scripts against the local workspace. The scripts only read or write local workspace files and a local optional config (.workspace-standard.yml). They do not collect or transmit data externally, nor do they access environment variables beyond local config parsing and standard shell utilities.
Install Mechanism
There is no packaged install spec (instruction-only). The README suggests optional downloads from raw.githubusercontent.com (a known host) or cloning a GitHub repo; these are documented user actions and not performed automatically by the skill. No archive extraction or remote executables are installed by the skill itself.
Credentials
The skill declares no required env vars, no credentials, and no config paths beyond an optional .workspace-standard.yml in the workspace root. The scripts do not attempt to read secrets or external tokens.
Persistence & Privilege
Registry flags are default (always:false, agent-autonomy allowed). The skill creates files and directories within the workspace (including a skills/ directory) but does not modify other skills' configs or system-wide settings. Note: the init script will overwrite files only when --force is passed, so review before using --force.
Assessment
This skill appears coherent and limited to local workspace organization. Before installing or running the scripts: (1) review the two shell scripts to confirm you understand what they create; (2) run them in a git-tracked workspace (so you can inspect and revert changes with git); (3) avoid using --force unless you intend to overwrite templates; (4) if you choose the README's curl/git install routes, verify the URLs are correct (they point to GitHub raw content) before executing; (5) remember the agent may autonomously consult this skill when deciding where to write files — if you prefer to control changes manually, avoid granting the agent unrestricted autonomous actions.

Like a lobster shell, security has layers — review code before you run it.

latestvk97eba2ymkstwmmrmzp3jwavp181fcbp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments