ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fast Response Optimizer

v1.0.0

Response speed optimizer - implements reply-first-then-process, parallel tool calls, and memory file caching

0· 75·0 current·0 all-time
byjason-tiger@opendolph
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (reply-first, parallel calls, memory caching) aligns with the code: it implements cache loading, parallel execution helpers, and a bootstrap hook. However the parallel utilities include a function that runs arbitrary shell commands (parallelExecCommands using child_process.exec), which is not mentioned in the SKILL.md and is a more powerful capability than the description implies.
!
Instruction Scope
SKILL.md instructs auto-trigger on every message, scheduled 1-minute refresh, and caching of workspace memory files. The implementation reads multiple workspace files (SOUL.md, USER.md, MEMORY.md, AGENTS.md, SESSION-STATE.md, HEARTBEAT.md, WORKING.md) and writes cache files under a cache/ directory. That file I/O is consistent with 'memory file caching' but it gives the skill access to potentially sensitive workspace files. The SKILL.md does not call out the ability to run shell commands, but the code exposes that capability.
Install Mechanism
No install spec; files are included in the package. No remote downloads or installers are present, so there is no additional install-time network risk.
!
Credentials
The skill requests no environment variables, but it reads arbitrary workspace files and writes cache metadata. Reading AGENTS.md, SESSION-STATE.md and other workspace files can expose tokens, config, or secrets if they exist. The ability to execute shell commands (parallelExecCommands) expands the credential/privilege risk because a compromised or misused skill could run commands that read or transmit secrets.
Persistence & Privilege
The skill is not marked always:true and does not modify other skills or system-wide settings. It does update its own '.last-message' timestamp at bootstrap and writes cache files in the workspace, which is expected for a caching tool.
What to consider before installing
This skill implements caching and parallel execution as advertised, but it also reads many workspace files (SOUL.md, USER.md, AGENTS.md, SESSION-STATE.md, etc.) and exposes a helper that runs arbitrary shell commands. Before installing: (1) inspect the workspace files named in scripts to ensure they contain no secrets or tokens; (2) consider running the skill in an isolated environment (sandbox/container) if you will use it on a workspace with sensitive data; (3) if you don't need shell execution, remove or disable parallelExecCommands or restrict the code so it can't run arbitrary commands; (4) trust the source (github.com/opendolph) and review the code yourself or have a developer audit it. If you cannot perform these checks, treat the skill as risky and avoid installing on production environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk9741ky3vw6v70z5jscwch6xyd83j4yn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments