ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Visio Use

v0.1.2

Bootstrap skill for DiagForge. Use this skill to onboard an agent into the DiagForge GitHub repository, understand the project structure, run the canonical c...

0· 83·0 current·0 all-time
by@qweadzchn·duplicate of @qweadzchn/diagforge-visio-user
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name and description match its runtime instructions: it directs an agent to clone a GitHub repo, read specific docs, and run the repository's smoke-test Python scripts. Requested binaries (git, python) are appropriate for those actions.
Instruction Scope
SKILL.md limits the agent to cloning the repo, reading listed docs, and executing the canonical smoke-test commands in the repository. These actions are within the stated onboarding/bootstrap scope. Note: the instructions run Python scripts that live in the external repository, so running them executes code fetched from GitHub (normal for this use case but worth review).
Install Mechanism
This is an instruction-only skill with no install spec and no code files included in the package—lowest install risk. It relies on existing git/python on PATH and on the upstream GitHub repository for all runtime code.
Credentials
The skill declares VISIO_BRIDGE_TOKEN as a required env var. That token is plausible for running bridge-backed smoke tests that interact with Microsoft Visio, but it is not required for cloning or reading the repository. QUICKSTART.md explicitly states the token is only needed for the bridge-backed smoke test and should be set only after verifying the upstream repo. This is a reasonable design, but users should treat the token as a sensitive local credential and only provide it when they intend to run Visio bridge operations.
Persistence & Privilege
The skill does not request persistent or elevated platform privileges. always:false and disable-model-invocation:false are standard; the skill does not modify other skills or system-wide agent settings.
Assessment
This skill is a lightweight guide that points agents to the DiagForge GitHub repository and shows which Python smoke-test scripts to run. Before using it: 1) Verify the upstream GitHub repo (https://github.com/qweadzchn/DiagForge) yourself; 2) Understand that the smoke-test commands execute Python scripts from that repo—review those scripts before running them locally; 3) Only set VISIO_BRIDGE_TOKEN if you trust and control a local Visio bridge instance, since it is a sensitive token used to access that bridge; 4) Use HTTPS cloning if you don't want to expose SSH keys; and 5) Be aware that running repository code can perform arbitrary actions on your machine, so run in a controlled environment if you have any doubts.

Like a lobster shell, security has layers — review code before you run it.

latestvk976sny2ym65yds9xqcktdh32s8398rs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgit, python
EnvVISIO_BRIDGE_TOKEN

Comments