ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ANCC

v1.0.0

Grow limbs — discover, validate, and integrate ANCC-compliant CLI tools into your OpenClaw agent. Use when setting up new tools, auditing agent environment s...

0· 85·0 current·0 all-time
by@ppiankov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (discover, validate, integrate ANCC CLI tools) match the declared requirement (ancc binary) and the SKILL.md content. The operations described (validate, audit, scaffold, token analysis) are coherent with needing an 'ancc' CLI.
Instruction Scope
SKILL.md provides concrete commands that will read and analyze local agent state (credential dirs like ~/.ssh and ~/.aws, shell histories, skill configs) and produce reports; that is within the declared purpose (audit/security), but it means running the tool will access sensitive files and metadata on the host. The doc explicitly states it does not execute target tools at runtime, reducing some risk.
Install Mechanism
The skill is instruction-only (no install spec). The SKILL.md suggests installing via Homebrew, go install, or downloading a GitHub release binary; those are typical and expected for a CLI. The suggested curl target is a GitHub releases URL (not a suspicious shortener or personal server).
Credentials
The skill requests no environment variables or credentials from the platform. However, the ancc tool it documents is explicitly designed to scan credential/config directories and history files — this is proportional to an auditing tool but does involve reading sensitive user files. No unrelated credentials or env vars are requested by the skill itself.
Persistence & Privilege
No elevated privileges or always:true present. The skill is user-invocable and does not request permanent presence or modify other skills' configs. Autonomous invocation is allowed (platform default) but not unusual here.
Assessment
This skill is coherent and matches its description, but the ancc CLI is an auditing tool that will inspect sensitive local files (e.g., ~/.ssh, ~/.aws, shell history, skill configs) when you run commands like `ancc audit`. Before installing or running it: (1) verify you trust the upstream source (check the GitHub repo and release checksums), (2) run audit commands interactively and review output locally before sharing results, (3) avoid giving outputs to third parties without redaction, and (4) consider running it in a controlled environment (container or VM) if you are concerned about exposing secrets. If you need more assurance, provide the registry owner/homepage discrepancy (the skill metadata lacked a homepage) or request the upstream package checksum for validation; that would increase confidence further.

Like a lobster shell, security has layers — review code before you run it.

latestvk976m1hzt7722k18091grxtavn838fmh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsancc

Comments