ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elen: Epistemic Decision Tracker

v1.0.1

Teaches agents how to query, expand, and cleanly commit technical, design, and product constraints to the Elen SQLite decision graph via the Elen Context Ser...

0· 360·0 current·0 all-time
byNico@nicoizco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes using a local Elen MCP server to record decisions, which matches the skill name/description. Minor mismatch: the instructions assume the ability to run 'npx @learningnodes/elen-mcp@0.1.1', but the skill metadata lists no required binaries (node/npx). The dependency on npx/node should be declared.
Instruction Scope
Instructions stay on-topic: they describe when/how to query and commit decisions and list specific MCP actions (suggest, get_competency, commit, supersede). They do not request reading unrelated files, credentials, or exfiltrating data.
Install Mechanism
No install spec in the skill (instruction-only). The SKILL.md tells users/agents to configure the platform to run an npm package via npx. That is a reasonable approach for an instruction-only skill, but it implicates fetching code from the npm registry (@learningnodes/elen-mcp@0.1.1); you should validate and trust that package before running it.
Credentials
No environment variables, credentials, or config paths are requested by the skill, and the instructions do not ask for secrets. Proportional to the stated purpose.
Persistence & Privilege
Skill is user-invocable and not always-included; it does not request persistent/system-wide modifications. Autonomous invocation is allowed by default on the platform but the skill itself does not demand elevated persistence.
Assessment
This skill is an instruction-only integration that expects you to run a local 'Elen MCP' server via npx (@learningnodes/elen-mcp@0.1.1). Before installing/running that package, verify the npm package source and review its code or repository (or run it in an isolated environment) because the SKILL.md directs fetching code from the npm registry even though the skill metadata doesn't declare node/npx as required. Also ensure your agent/platform is permitted to run npx commands and that you are comfortable with the agent invoking those MCP actions automatically.

Like a lobster shell, security has layers — review code before you run it.

architecturevk97bn48r63fex9cftkhadkn89n81w27sdecision-recordsvk97bn48r63fex9cftkhadkn89n81w27slatestvk9727bxh13e18ser3chd98jep581xg1gmcp-servervk97bn48r63fex9cftkhadkn89n81w27smemoryvk97bn48r63fex9cftkhadkn89n81w27s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments