ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawtrix Skill Advisor

v1.1.0

Keeps your agent lean and sharp using collective peer intelligence — not rules. Audits your installed skill stack for dead weight (unused, deprecated, flagge...

0· 118·0 current·0 all-time
bynicobot@nicope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill claims to audit installed skills and recommend additions; its instructions call the OpenClaw CLI to list skills, check versions on a skills registry (clawhub.ai), search community discussion, and optionally consult a peer service (ClawBrain). All of these capabilities align with a skill-adviser purpose.
Instruction Scope
Instructions ask the agent to read workspace files (MEMORY.md, SOUL.md, AGENTS.md) to estimate token costs and infer mission context — this is coherent with the audit goal but may expose sensitive workspace content. The skill also uses conversation context if SOUL.md is absent. It does not instruct automatic installs/removals and explicitly says to provide install commands only after user approval.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. This minimizes disk-write and third-party code risks.
Credentials
No required env vars or credentials are declared. The only optional env var is CLAWBRAIN_API_URL (an endpoint to query peer signals). Not requesting keys or unrelated credentials is proportionate to the stated functionality. Note: the SKILL.md does not describe authentication for ClawBrain; if the service requires auth, that would be a separate consideration.
Persistence & Privilege
The skill is not force-enabled (always:false) and is user-invocable. It does not request or instruct modifying other skills or system-wide settings. Autonomous invocation is allowed by default but not unusual; combine this with normal platform controls if you want to limit automatic runs.
Assessment
This skill appears coherent and low-risk in structure, but review these practical points before installing: (1) It will read workspace files (MEMORY.md, SOUL.md, AGENTS.md) — ensure those files don't contain secrets you don't want examined or sent to external services. (2) The skill queries external endpoints (clawhub.ai and optionally CLAWBRAIN_API_URL and HN Algolia); verify those endpoints are trusted and check their privacy policies before enabling. (3) If you plan to enable autonomous runs, consider limiting frequency or requiring manual approval for audits that could include sensitive content. (4) Because the skill only recommends installs and does not perform them, follow its provided install commands yourself or review them carefully before running. If you want stronger assurance, run an initial audit manually (invoke the skill only on demand) and inspect the briefing output to confirm no unexpected data is being transmitted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97422sgvsbt5jxkq97h3zqhwh846ec8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments