ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Factory Floor

v3.5.1

Startup coach for founders and early-stage teams. Trigger when someone mentions: "what should we focus on", "should we build X", "should we raise", "we're st...

1· 137·0 current·0 all-time
byMario@mmichelli
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill is a startup coaching router that reads local reference and stage files to triage founders. That purpose aligns with the files included (many reference/stage docs). Minor inconsistency: registry metadata said 'instruction-only', but the package includes an installer (bin/install.mjs) and a small render script — this is plausible (provides convenience install), but it's something to be aware of.
Instruction Scope
SKILL.md instructs the agent to ask questions and load local stage/reference files; it does not instruct reading unrelated system files, environment variables, or transmitting data to external endpoints. The guidance stays within the stated coaching/triage scope.
Install Mechanism
There is no platform-declared install spec, but the package includes bin/install.mjs which copies files into ~/.claude/skills/factory-floor and runs 'npm install' in the skill's scripts directory to install a diagram renderer (beautiful-mermaid). This writes into the user's home directory and will run npm lifecycle scripts for dependencies — a standard but non-zero risk operation. No remote downloads beyond npm registry are apparent.
Credentials
The skill requests no environment variables, credentials, or config paths. Its behavior and files do not require or access secrets — proportional to its coaching purpose.
Persistence & Privilege
The skill does persist files under the user's home (~/.claude/skills/factory-floor) when installed, which is expected for a locally-installed skill. always:false and it does not request elevated or global agent privileges or modify other skills' configs.
Assessment
What to consider before installing: - The installer (bin/install.mjs) copies files into ~/.claude/skills/factory-floor and runs 'npm install' in the skill's scripts folder. That will create files on disk and execute npm lifecycle scripts for any dependencies (normal for npm but can run code from the registry). - The skill does not ask for credentials or read system secrets. - If you trust the author (Swiftner) and are comfortable with a local install that uses npm, this is reasonable for a local Claude/agent skill. If you are cautious: • Inspect bin/install.mjs and scripts/package.json yourself (they're short and present) before running. The installer is plain (cpSync + npm install). • Inspect the dependency 'beautiful-mermaid' (or the scripts/package.json) for any unexpected install scripts or unusual dependencies. • Optionally run the installer in a sandboxed account or container, or copy files manually instead of running the ship's installer. - No red flags for hidden networking or secret exfiltration were found in SKILL.md or the docs; the main remaining risk is standard npm install behavior. If you need stronger assurance, ask the publisher for a canonical repository URL or signed release to verify authenticity.
bin/install.mjs:53
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk977psd180ecn0m78v1rcphq9n8392by

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments