ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Visio Use

v0.1.2

Bootstrap skill for DrawForge. Use this skill to onboard an agent into the DrawForge GitHub repository, understand the project structure, run the canonical c...

0· 62·0 current·0 all-time
by@qweadzchn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description claim to onboard an agent into the DrawForge repo and run a smoke test. Required binaries (git, python) and a VISIO_BRIDGE_TOKEN for the Visio bridge are consistent with cloning and running the repository's Python smoke-test workflow.
Instruction Scope
SKILL.md instructs the agent to clone the GitHub repo and run three Python scripts from Setup/ (prepare_smoke_test.py, run_draw_job.py, execute_drawdsl.py). That is coherent with the stated purpose, but it does involve executing code pulled from a remote repository—users should audit the repository and the referenced scripts before running them, and be cautious about any network activity those scripts may perform or any sensitive inputs they request.
Install Mechanism
There is no install spec; the skill is instruction-only. This is the lowest-risk model for an onboarding helper and is consistent with the described purpose.
Credentials
Only one environment variable is declared (VISIO_BRIDGE_TOKEN). The QUICKSTART clarifies this is a local token for a user's Visio bridge and is only needed for the bridge-backed smoke test; that is proportionate to the skill's purpose. No unrelated credentials or config paths are requested.
Persistence & Privilege
always is false and there is no install-time persistence requested. The skill does not request elevated platform presence or modify other skills' configuration.
Assessment
This skill is coherent for onboarding into DrawForge, but it directs the agent to clone a GitHub repo and run Python scripts from that repo. Before running the smoke test, verify the upstream GitHub repository and inspect the referenced Setup/*.py scripts for any network calls, credential use, or unexpected behavior. Only provide VISIO_BRIDGE_TOKEN if you trust and understand the token's scope; prefer an ephemeral or minimally-scoped token. Note the SKILL.md example uses an SSH clone (git@github.com...), which will use your SSH keys — if you prefer, use the HTTPS clone URL. Run the smoke test in an isolated or sandboxed environment if you are unsure about the code, and avoid supplying unrelated secrets. Finally, remember this is instruction-only: the agent will execute commands you allow, so audit the repository before granting runtime access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a5bjs08xk89nqg0r0efhbf583g06p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsgit, python
EnvVISIO_BRIDGE_TOKEN

Comments