ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agentic Loop Upgrade

v2.4.1

Enhanced agentic loop with planning, parallel execution, confidence gates, semantic error recovery, and observable state machine. Includes Mode dashboard UI...

0· 923·2 current·2 all-time
by@maverick-software
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth tokenRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and included code (orchestrator, gates, state, UI) align with an 'agentic loop upgrade'. The skill legitimately needs to wrap the agent runner, persist state under ~/.openclaw/, and call the host LLM provider. However the package references host credentials and environment variables (e.g., ${OPENAI_API_KEY}, resolveApiKeyForProvider) even though requires.env lists none — this mismatch should be clarified.
!
Instruction Scope
SKILL.md and SECURITY.md state the skill appends only additive 'plan status' to the system prompt, but a pre-scan flagged 'system-prompt-override' patterns in the SKILL.md and the codebase includes runner-wrapping and memory auto-injection (SurrealDB) that injects semantic memory into the system prompt. Appending user-memory content into the system prompt can effectively change agent behavior and may contain user-provided facts that act as new directives; this is scope-expanding and requires careful inspection of the exact injection code and formatting.
Install Mechanism
No explicit install spec is provided (instruction-only), but the skill bundle contains many source and dist files and scripts (verify.sh). Not having a build/install spec isn't necessarily malicious, but it means you should inspect the included scripts (especially verify.sh) and how the host 'openclaw skill install' will load/run those files. There's no external download URL at runtime per SECURITY.md, which lowers remote-install risk.
!
Credentials
The manifest declares no required environment variables or primary credential, yet the documentation and troubleshooting text reference resolving host provider credentials and using environment variables like ${OPENAI_API_KEY}, and the optional SurrealDB auto-inject feature depends on mcporter/gateway runtime env. The skill reads host agent auth profiles at runtime (inherits credentials) — this is expected for an orchestrator, but because it's not declared in requires.env the relationship is under-documented and could surprise non-expert users. Confirm how credentials are resolved, whether any secrets are written or logged, and that the skill truly does not persist sensitive tokens.
Persistence & Privilege
Persistence is limited to ~/.openclaw/ per the docs and the skill is opt-in (not always:true). The skill wraps the agent runner (wrapRun) which gives it supervisory control of agent calls — normal for an orchestrator but increases blast radius if combined with other issues (e.g., prompt injection or credential misuse). Approval gates default on for high/critical ops which mitigates risk, but you should verify gate enforcement paths.
Scan Findings in Context
[system-prompt-override] unexpected: SKILL.md and SECURITY.md claim 'additive-only' prompt appends, but the scanner found patterns matching system-prompt override behavior in the runtime instructions. Whether this is an actual override or a benign append needs manual code inspection (search for any code that sets or replaces 'systemPrompt' or writes full prompt content rather than appending).
What to consider before installing
What to check before installing: - Source provenance: The skill lists a GitHub/ClawHub location in README but the registry 'Homepage' is unknown. Prefer installing only from a verified repository and confirm commit signatures. - Review prompt-injection surface: Inspect the parts that append/inject into the agent 'system prompt' and the SurrealDB auto-inject logic. Ensure injected content is strictly non-directive and limited in size/format. Search the code for any replace/overwrite of system prompts, not just append operations. - Credential handling: Confirm the exact code that resolves provider credentials (resolveApiKeyForProvider). Ensure it does not log, cache, or transmit secrets elsewhere. If you run in environments where OPENAI_API_KEY or similar are present, recognize the skill will read the host agent's credentials (not necessarily declared in manifest). - Memory auto-injection: Keep memory.autoInject disabled until you've audited the SurrealDB integration. Auto-injecting knowledge into the system prompt can change agent behavior and may leak sensitive facts into model context or external channels. - Sandbox test: Enable and test the skill in a non-production sandbox agent first. Use the provided scripts/verify.sh --network-audit to confirm no unexpected outbound connections. Monitor file writes under ~/.openclaw/ and check logs for any unexpected operations. - Approval gates & config: Verify the approval-gate enforcement is active for your production agents and that timeouts/auto-proceed behavior match your risk tolerance. Consider tightening thresholds (increase ask-human threshold) before broad enablement. - Code audit: If you are not comfortable auditing the entire bundle yourself, request an independent code review focusing on prompt injection, credential access, network calls, and any use of exec/file snapshot/rollback logic (checkpoint rollback writes files back to original paths). Summary: the skill appears to implement the advertised features, but inconsistencies around prompt modification patterns and undeclared env/credential interactions make it worth manual review and sandbox testing before enabling on sensitive agents or production.
scripts/verify.sh:97
Environment variable access combined with network send.
src/dist/llm/caller.js:20
Environment variable access combined with network send.
src/llm/caller.ts:57
Environment variable access combined with network send.
!
src/dist/llm/caller.js:35
File read combined with network send (possible exfiltration).
!
src/llm/caller.ts:71
File read combined with network send (possible exfiltration).
!
references/context-management.md:140
Prompt-injection style instruction pattern detected.
!
references/task-hierarchy.md:235
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c7wprvccqdn86qdeppxrh3x84x0pw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments