Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill
v0.1.2Daily improvement briefings with one-click fixes for your AI agent. Observes traces, diagnoses failures, and applies fixes conversationally.
⭐ 0· 93·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (daily briefings, diagnostics, fixes) align with the declared ADEPTLOOP_API_KEY requirement and the runtime instructions to fetch briefings and configure trace ingestion. However, the skill's registry metadata lists no required config paths even though the SKILL.md instructs reading and writing openclaw.json (project root) and ~/.openclaw/.env — an omission in the manifest.
Instruction Scope
SKILL.md instructs the agent to read project config (openclaw.json), create/merge plugin config, append/replace ADEPTLOOP_API_KEY in ~/.openclaw/.env, run a device auth flow (polling token endpoints), install the diagnostics-otel plugin, and schedule daily checks via cron. These actions go beyond read-only reporting: they modify local configuration, persist a secret to disk, and modify agent runtime behavior. Those file and scheduling actions are not declared in the skill metadata.
Install Mechanism
No install spec or external downloads — instruction-only skill. This is lower-risk from an installation standpoint because nothing is pulled or executed from arbitrary URLs. The only command invocation suggested is 'openclaw plugins install diagnostics-otel' which is reasonable for configuring the agent.
Credentials
The skill requires a single credential (ADEPTLOOP_API_KEY), which matches the service it integrates with. However, the runtime instructions read/write that key from a local file (~/.openclaw/.env) and add it into openclaw.json plugin headers. The manifest did not declare these config paths; the practice of persisting the API key to disk is expected for trace ingestion but should be made explicit in metadata and user prompts.
Persistence & Privilege
always:false (no forced inclusion). The skill requests autonomous behaviors common to such tools (scheduling daily checks via cron and installing/enabling a diagnostics plugin). This grants the skill persistent effects on the agent environment (config changes, cron entry), so users should be aware and approve those changes. Autonomous invocation itself is the platform default and is not in itself being flagged.
Scan Findings in Context
[no-findings] expected: The static scanner found no code to analyze because this is an instruction-only skill (SKILL.md contains runtime instructions). That absence of findings is expected but not reassuring — the runtime instructions are the primary security surface here.
What to consider before installing
This skill appears to do what it says (collect traces and fetch briefings) but it will: (1) read and modify your project openclaw.json, (2) create/modify ~/.openclaw/.env and store an ADEPTLOOP_API_KEY there, (3) run a device-auth flow that returns an API key, (4) install/enable the diagnostics-otel plugin, and (5) schedule daily checks via cron. Before installing: verify you trust adeptloop.com and the vendor, back up openclaw.json, review and approve any changes the skill will make (ask the skill to show the exact JSON it will merge), confirm where secrets are stored and whether they meet your security policy, and prefer manual confirmation for writing credentials or adding cron jobs. Also ask the publisher to update the skill metadata to declare the config paths (openclaw.json and ~/.openclaw/.env) so the manifest matches the actual behavior.Like a lobster shell, security has layers — review code before you run it.
latestvk974gwz40ftg1ys26nk9kb81ax83trn9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
EnvADEPTLOOP_API_KEY
Primary envADEPTLOOP_API_KEY