ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ideonomy Engine — Creative Reasoning for AI Agents

v0.3.3

Structured creative reasoning through ideonomic lenses. Use when stuck on a problem, need fresh perspectives, want to think more creatively or systematically...

0· 113·0 current·0 all-time
by@morpheis
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name, description, and runtime instructions (CLI usage and profiles) are coherent with a creative-reasoning engine. However, the registry metadata lists 'Source: unknown' and no homepage is provided, which reduces trust and makes it harder to verify the implementation behind the claimed capability.
Instruction Scope
SKILL.md contains straightforward instructions to run a CLI (ideonomy) and describes options and expected output. It does not instruct the agent to read unrelated files, environment variables, or exfiltrate data. The content stays within the skill's stated purpose.
!
Install Mechanism
Although the skill metadata contains no install spec (it's instruction-only), SKILL.md instructs users to 'npm install -g @clawdactual/ideonomy-engine'. That is a concrete recommendation to install a third-party npm package with no provided repository, homepage, or publisher verification. Installing global npm CLIs can execute arbitrary maintainer-controlled code on the host; the absence of provenance is a meaningful risk.
Credentials
The skill requests no environment variables, credentials, or config paths. The minimal privileges requested are proportionate to a reasoning/CLI helper.
Persistence & Privilege
Metadata sets always: false and follows normal defaults. The skill does not request permanent/autonomous elevation or modify other skills. No persistence concerns are evident in the provided files.
What to consider before installing
This skill appears to do what it says (a CLI-based creative-thinking engine), but exercise caution before installing or running the suggested npm package: 1) Verify the npm package and publisher (search npmjs.org and look for a repository/homepage and a trustworthy author). 2) Inspect the package source (package.json, entry points, and any install/postinstall scripts) before running, especially if installing globally. 3) Prefer installing in a sandbox/container or use npx rather than npm -g if you want to test. 4) If you plan to let an agent run the CLI, confirm where the CLI will send network requests and whether it spawns child processes. If you can provide the package repository or more provenance (homepage, source repo, checksum), I can re-evaluate with higher confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk9711cpdnhkvzzs6sy6cwp8hj18408b8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments