ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Core Extractor

v1.0.0

Export the agent core from supported framework repositories into a small source-only zip for AI migration or cross-framework analysis. Use when the user want...

0· 140·0 current·0 all-time
by@moshiii
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description, SKILL.md, README, and the included script all align: they detect repository framework signatures and copy a small set of source files into a staging directory and zip it. No unrelated credentials, binaries, or services are requested.
Instruction Scope
The runtime instructions are limited to running the bundled shell script which reads repositories under a configurable base directory (default ~/Documents/GitHub). This is in-scope for extracting agent-core files, but note the script will read arbitrary files within those repos (including any config files present) and will fail/exit if a specified repo is missing or unsupported.
Install Mechanism
No install spec is provided; this is an instruction-only skill with a bundled shell script. The script requires the zip binary (checked at runtime). No downloads or archive extraction from external URLs occur.
Credentials
The skill declares no required environment variables or credentials. The script uses HOME and PWD via shell expansion (normal) and accepts a --base-dir flag; there is no request for unrelated secrets or external tokens.
Persistence & Privilege
The skill is not always-enabled, does not modify other skills, and does not request elevated persistence. It performs filesystem reads and writes within the user-specified output directory only.
Assessment
This skill appears coherent and local-only, but be mindful before running it: point --base-dir at repositories you control, and run with a specific --repos list to avoid copying unexpected files. The exporter will copy config and prompt files from those repos — if those files contain secrets or provider keys, they will be included in the generated zip. Verify the zip contents before sharing, ensure the zip binary is installed, and run the script in a controlled environment (or on a copy of your repos) if you have sensitive data in your project trees.

Like a lobster shell, security has layers — review code before you run it.

latestvk976shwr6d7ftwh2y1k1g9tbvn8300nf

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

shell Clawdis

Comments