Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AGI Farm
v1.2.0Interactive setup wizard that creates a fully working multi-agent AI team on OpenClaw. One command bootstraps agents, SOUL.md personas, comms infrastructure...
⭐ 0· 364·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (bootstrap multi‑agent team, dashboard, dispatcher) align with included files (generate.py, auto-dispatch.py, dashboard.py, React dashboard). Using the OpenClaw CLI and optionally GitHub is expected for this purpose.
Instruction Scope
SKILL.md instructs the agent to write into ~/.openclaw/workspace, create team.json, generate files, register cron jobs, install a macOS LaunchAgent, and invoke openclaw agent sessions. Those are within the stated goal, but they permit broad file I/O, persistent job registration, and automated agent invocation — operations that can affect many user files and system services and therefore require explicit user consent and inspection.
Install Mechanism
No external download/install URL is used; the skill is instruction‑only in metadata but includes source files in the bundle. There is no installer that fetches arbitrary remote code at runtime, which reduces supply‑chain risk. The React bundle and Python scripts are included in the package.
Credentials
The registry declares no required env vars, but SKILL.md and code expect an 'openclaw' binary on PATH (with fallback path) and may call 'gh' for GitHub pushes; the README suggests OPENCLAW_BIN overrides and 'gh auth login' for GH. The skill does not request cloud/API keys directly, but it will use any existing CLI credentials (e.g., gh auth) and the user's filesystem. This is mostly proportional but users should be aware it will act using their CLI authentication context.
Persistence & Privilege
The skill sets up cron jobs and a persistent macOS LaunchAgent to run the dashboard/dispatcher. That gives the code ongoing presence and automatic execution on the host. While reasonable for a long‑running ops dashboard and dispatcher, persistence combined with autonomous agent triggering increases blast radius and should be explicitly authorized by the user.
What to consider before installing
This skill appears to do what it says, but it makes persistent changes (writes to ~/.openclaw/workspace, registers cron jobs and a macOS LaunchAgent, launches agent processes via the openclaw CLI, and can push to GitHub via the gh CLI). Before installing or enabling: 1) Inspect generate.py, dashboard.py and scripts/auto-dispatch.py (they are included) to confirm no unexpected network endpoints or credential exfiltration. 2) Run the setup in dry‑run mode (the dispatcher supports a non‑--execute dry run) and avoid selecting 'Create GitHub repo' until you ensure 'gh' is authenticated as you intend. 3) Backup ~/.openclaw and review any cron/LaunchAgent entries created; consider running first in an isolated environment (VM or throwaway user account). 4) If you don't want persistent services, skip registering cron/LaunchAgent and run dashboard/dispatcher manually. 5) If unsure, ask for a short code walkthrough of generate.py and dashboard.py to confirm they don't call remote URLs or upload workspace data.Like a lobster shell, security has layers — review code before you run it.
latestvk976h5jpw8hzayt2ekcjkdftq1820g53
License
MIT-0
Free to use, modify, and redistribute. No attribution required.