ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coding Agent Backup

v1.0.0

Delegate coding tasks to Codex, Claude Code, or Pi agents via background process. Use when: (1) building/creating new features or apps, (2) reviewing PRs (sp...

1· 2k·29 current·32 all-time
by@nickchan0412
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and metadata describe delegating to local/CLI coding agents (claude, codex, opencode, pi) and declare anyBins for those CLIs. However the included index.js implements an entirely different approach: it calls the Google Generative Language (Gemini) REST API using a hard-coded API key and a network endpoint. That behavior is not declared in requires.env or the SKILL.md and is inconsistent with the stated purpose of orchestrating local CLIs.
!
Instruction Scope
SKILL.md instructs the agent to spawn background processes in arbitrary workdirs, clone repositories to temp dirs, run agents with elevated/no-sandbox flags (e.g. codex --yolo), and post PR comments via gh. Those instructions legitimately need filesystem and network access for reviews/builds, but the docs do not disclose that bundled code will send user-provided prompts/code to an external API (generativelanguage.googleapis.com). The instructions also allow running in broad host workdirs and elevated mode, increasing the risk of accidental exposure.
Install Mechanism
There is no external install step (instruction-only style), which is lower risk, but the package includes index.js and config.json. index.js contains outbound HTTPS calls to a public ML endpoint and a hard-coded API key. While no remote download/extract occurs at install, the included code itself will make network requests if executed — this is a runtime risk even without an installer.
!
Credentials
requires.env lists none, yet index.js embeds an apparent Google API key and uses it in requests. This is a mismatch: a network-capable key is present but not declared as a required credential. config.json sets workdir to '/home/admin/code' and enabled:true, implying access to a broad host directory by default. The skill requests broad filesystem and network access (via SKILL.md instructions) without proportional transparency or explicit env var handling.
Persistence & Privilege
always:false (not force-included), which is fine. However config.json sets enabled:true, priority:10 and a default workdir under /home/admin/code — this may cause the skill to be active and operate in a high-privilege area of the host unless the platform overrides it. The skill does not request to modify other skills' configs, but the default config and background/pty patterns mean it could access large parts of the user's codebase if run.
Scan Findings in Context
[hardcoded_api_key] unexpected: index.js contains a hard-coded API key string (assigned to this.apiKey) and appends it to requests to generativelanguage.googleapis.com. The SKILL.md and requires.env do not declare any Google API key requirement: credentials are not exposed as a required env var but are embedded in code, which is not appropriate for a skill whose declared purpose is to orchestrate local CLIs.
[external_network_request] unexpected: index.js makes direct HTTPS POST requests to a third-party generative model endpoint. The skill documentation focuses on running local CLIs and background processes; it does not disclose that user-provided prompts or repository contents may be transmitted to an external API provider.
[default_sensitive_workdir] unexpected: config.json sets workdir to '/home/admin/code' and enabled:true. The SKILL.md warns not to run agents in a particular workspace, but the default workdir is broad and could cause the skill to operate on sensitive files by default. This default is not declared in the skill metadata 'requires' fields.
What to consider before installing
Do not install or run this skill without changes. The package contains an index.js that will send prompts (potentially including code) to an external Google Generative Language endpoint using a hard-coded API key — the key is embedded in the file rather than provided explicitly via a declared environment variable. This is inconsistent with the skill's docs (which claim to orchestrate local CLI agents) and risks leaking repository contents and secrets. If you consider using it, ask the author to: (1) remove any hard-coded credentials and require a declared environment variable (e.g., GOOGLE_API_KEY) instead; (2) document and require any external API usage in SKILL.md and requires.env; (3) avoid defaulting to broad host workdirs (do not set /home/admin/code) and make workdir explicit at run-time; (4) remove or clearly flag 'no sandbox' / --yolo behaviors and any elevated-host instructions; (5) provide a verifiable homepage/origin and justification for why a remote model is necessary. If you already ran this skill, assume the embedded API key may be compromised — rotate/disable the key and audit any external requests or data that may have been sent.

Like a lobster shell, security has layers — review code before you run it.

latestvk973fn75xdnzd9kp6evhvqsd9x81w44c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧩 Clawdis
Any binclaude, codex, opencode, pi

Comments