ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DiagForge Bootstrap

v0.1.1

Bootstrap skill for DiagForge. Use this skill to onboard an agent into the DiagForge GitHub repository, understand the project structure, run the canonical c...

0· 71·0 current·0 all-time
by@qweadzchn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say this skill bootstraps an agent into the DiagForge repo; it requires git and python which are exactly what you need to clone and run the repo's smoke-test scripts. Asking for a Visio bridge token is plausible given the Visio-based workflow described.
Instruction Scope
SKILL.md stays on-task (clone repo, read specific docs, run the canonical smoke-test commands). It does instruct running repository Python scripts (Setup/*). Those scripts will run arbitrary Python code from the cloned repo, so inspect them before execution. The instructions do not themselves instruct reading unrelated local files or exfiltrating data.
Install Mechanism
Instruction-only skill with no install spec and no code files included in the package—no downloads or archive extraction by the skill itself (lowest install risk).
Credentials
The only required env var is VISIO_BRIDGE_TOKEN which is plausible for a Visio bridge, but SKILL.md never documents how or when the token is used. This is not necessarily malicious, but you should confirm the token's scope and why it's required before providing it.
Persistence & Privilege
The skill does not request always-on presence and uses normal agent invocation. It does not modify other skills or system-wide settings as presented.
Assessment
This skill is an instruction-only bootstrap: it points the agent to the GitHub repo and tells it to run Python smoke-test scripts found there. Before installing or running it: (1) verify the VISIO_BRIDGE_TOKEN purpose and minimize its scope/privileges; (2) prefer cloning via HTTPS if you don't want to expose SSH keys; (3) inspect the repository's Setup/*.py scripts and any network calls they make before executing them, and run tests in a sandbox or isolated environment if you can. If you don't trust the repo or can't review the code, don't provide sensitive tokens or run the smoke-test commands on a production machine.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ay3z46nhb2jtje88mc3bsv58386se

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgit, python
EnvVISIO_BRIDGE_TOKEN

Comments