ClawHub

COMCOO Arbiter Meta-OS

v1.6.1

COMCOO Arbiter Meta-OS enables transparent, ethical labor and non-coercive governance for global coordination toward a sustainable civilization.

1· 1.8k·0 current·0 all-time
by@mrdahut
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The bundle is titled 'COMCOO Arbiter Meta-OS' and the SKILL.md reads as a planetary-scale protocol manifesto, which implies broad system-level functionality. However, the package requests no credentials, no binaries, no install, and the included JS files are small, local scripts that only log simulated operations. There is a mismatch between the implied scope (a Meta-OS / planetary coordination protocol) and the actual artifacts (demo scripts and static JSON). This discrepancy is unexplained and could be intentional obfuscation or simply an unfinished/unpublished project.
!
Instruction Scope
The provided SKILL.md is a high-level manifesto with no concrete runtime instructions for the agent (no commands to run, no external API endpoints, no file IO instructions). Yet the package includes multiple .js files and JSON manifests — the SKILL.md does not instruct the agent to execute those files, nor does it describe when or why the agent should run them. Instruction-only skills should either be actionable or clearly declarative; here the lack of operational guidance grants the agent broad discretion if it chooses to run included code, which is a scope ambiguity worth flagging.
Install Mechanism
There is no install specification (instruction-only), so nothing will be downloaded or written to disk by an installer. That lowers risk: the skill does not include brew/npm downloads or arbitrary URL fetches.
Credentials
The skill declares no required environment variables, no primary credential, and no config paths. The absence of requested secrets is proportionate to the actual code, which contains no network calls or credential usage.
Persistence & Privilege
Flags show normal defaults: always:false and autonomous invocation allowed (the platform default). The skill does not request persistent system presence or claim to modify other skills or system-wide settings.
What to consider before installing
What to consider before installing: - This package is internally inconsistent: a lofty 'Meta-OS' manifesto but no installation steps, no credentials, and only simple local JS demos that print logs. That could be benign (unfinished demo) or deliberate misdirection. - The JavaScript files themselves do not perform network I/O or access environment variables — they only log simulated actions and read the included JSON. There are no immediate code-level signs of exfiltration, but the SKILL.md gives no guidance on intended runtime behavior. - If you need this skill: ask the publisher for clarification (explicit purpose, runtime behavior, when/why the JS files should run, any network endpoints, and provenance/maintainer identity). Request a signed release or code audit if you'll run it in production. - If you still want to try it: run it in a sandboxed environment (isolated VM/container) and inspect runtime behavior (file system, network activity, spawned processes) before granting broader access. - If you do not trust the provenance or cannot get satisfactory answers, avoid installing — the mismatch of claims vs. artifacts is the primary risk here.

Like a lobster shell, security has layers — review code before you run it.

elf-2.0vk976stvnm94dj0cyk7fq5bztrs80kj2dfoundationvk976stvnm94dj0cyk7fq5bztrs80kj2dlatestvk976stvnm94dj0cyk7fq5bztrs80kj2dtype-onevk976stvnm94dj0cyk7fq5bztrs80kj2d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments