ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

teammate.skill

v2.0.0

Distill a teammate into an AI Skill. Auto-collect Slack/Teams/GitHub data, generate Work Skill + 5-layer Persona, with continuous evolution. Use when: user w...

0· 37·0 current·0 all-time
byMyClaw.ai@myclaw-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to 'auto-collect Slack/Teams/GitHub' and the repository includes multiple collector/parser tools (slack_collector.py, github_collector.py, teams_parser.py, email_parser.py, etc.), which is coherent with its stated purpose. However the registry metadata declares no required environment variables or credentials while the SKILL.md and INSTALL.md explicitly instruct users to provide a Slack Bot token (xoxb-...), a GITHUB_TOKEN, and to run setup that persists a config in ~/.teammate-skill. That mismatch (declared none vs. actual need for tokens and saved config) is an incoherence and should be explained by the author.
!
Instruction Scope
SKILL.md instructs the agent/operator to auto-collect messages, threads, PRs, reviews, emails, Teams exports, Notion/Confluence exports and to run local scripts that will read and parse those artifacts. It also directs saving Slack config and tokens to ~/.teammate-skill/slack_config.json and using environment GITHUB_TOKEN. The instructions permit collecting private channel history (optional scopes) and using admin/export files. These are within the skill's purpose but they expand scope to highly sensitive personal and corporate data; the SKILL.md lacks an explicit, enforced least-privilege guidance and leaves potentially ambiguous decisions (which channels/repos to scan) to the operator/agent.
Install Mechanism
There is no formal install spec in registry metadata (instruction-only), but the package includes 12 Python tools and an INSTALL.md that recommends cloning from a GitHub repo and optionally running pip install -r requirements.txt (slack_sdk). The install flow is typical but means arbitrary Python code will be present and executed locally if the user follows the guide; no remote, obfuscated download URLs are used in the docs (github clone recommended), which lowers some risk but still requires code review before execution.
!
Credentials
Although the registry declares no required env vars, the docs explicitly require/encourage: a Slack Bot OAuth token with channel history scopes and a GitHub personal access token (repo or public_repo). Those credentials grant broad read access to potentially private communications and repositories. The skill also persists tokens/config to the home directory. Requesting such high-scope credentials is proportionate to 'auto-collect' functionality only if the user intends full workspace harvesting — but the metadata omission and lack of concrete guidance on minimal scopes, token rotation, or secure storage make this a clear red flag.
Persistence & Privilege
always:false (no forced inclusion) and there is no indication the skill modifies other skills or system-wide agent settings. The tool writes its own config under ~/.teammate-skill and manages teammate artifacts in ./teammates/{slug}/ which is expected for this function. However, because the skill can be invoked autonomously (platform default) and requests sensitive tokens, autonomous operation would increase blast radius — reviewers should consider running collectors manually or restricting autonomous runs until the code is audited.
Scan Findings in Context
[NO_REGEX_FINDINGS] expected: The static pre-scan reported no injection signals or regex matches. Given this is a multi-file Python toolset, absence of matches is plausible, but it does not replace a manual audit of collector code that handles credentials and network operations.
What to consider before installing
What to consider before installing or running this skill: - Metadata mismatch: the registry lists no required credentials but the docs and SKILL.md explicitly require a Slack Bot token and a GitHub token. Ask the author to update the registry or explain why credentials aren't declared. - Audit the code first: the package includes multiple collector scripts that will read chats, emails, PRs and save config/tokens locally. Inspect slack_collector.py, github_collector.py and privacy_guard.py to confirm where data is sent, how tokens are stored, and that no unexpected remote endpoints are contacted. - Use least privilege: if you proceed, create dedicated, minimal-scope credentials (a Slack app with only the channels the bot actually needs and a GitHub token with minimal scopes) and rotate/delete them after use. Avoid using org-wide admin tokens. - Avoid running autonomously until audited: because the skill can be invoked by agents, restrict autonomous runs or require manual approval for collectors so it cannot silently harvest data. - Secure storage: do not paste long-lived tokens into insecure prompts; prefer ephemeral tokens or a secrets manager. If the tool writes tokens to ~/.teammate-skill/slack_config.json, ensure that file is protected (file permissions) and consider deleting it after use. - Test in isolation: run collectors against non-production or sample exports first to verify behavior and privacy_guard redaction works as expected. If you cannot review the code or follow the above mitigations, treat the skill as high-risk for sensitive data exposure and do not install it in production environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk972ph9kn8zfshzngq3cm9q88n83y8n2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments