ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Skill Tech Brainstorm

v1.0.0

Multi-source technical research + contextual brainstorm for architecture and stack decisions. Use when: the user asks to brainstorm a technical topic, compar...

0· 51·0 current·0 all-time
byRomain@romain-grosos
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (technical brainstorm, multi-source research, LLM-based) align with what the code implements: building prompts, calling an OpenAI-compatible LLM, synthesizing a report, saving it under ~/.openclaw, and dispatching to Telegram/Nextcloud/email. No unrelated credentials or binaries are requested.
Instruction Scope
Runtime instructions confine activity to: receiving research (stdin) or a topic/context, calling the LLM, saving reports to ~/.openclaw/data/tech-brainstorm, and dispatching via configured outputs. The scripts read the LLM API key file (~/.openclaw/secrets/openai_api_key) and (only when needed) ~/.openclaw/openclaw.json for a Telegram bot token — both are documented in SKILL.md. There are no hidden instructions to read arbitrary system files or exfiltrate unrelated data.
Install Mechanism
No install spec is provided (the skill is delivered as files). The code claims zero external Python dependencies and uses only stdlib (urllib/json/etc.), matching the SKILL.md. There are no download URLs or archive extracts that would write arbitrary code at install time.
Credentials
The skill requires an LLM API key stored in a dedicated file (~/.openclaw/secrets/openai_api_key) and optionally reads OpenClaw config (~/.openclaw/openclaw.json) for a Telegram token when telegram output is enabled. These credentials are appropriate and proportional to the stated functionality. No unrelated SECRET/TOKEN/PASSWORD variables or external-service keys are requested.
Persistence & Privilege
The skill stores config and reports under ~/.openclaw/config/tech-brainstorm and ~/.openclaw/data/tech-brainstorm respectively. It does not request always:true, does not modify other skills' configs, and validates dispatch script paths to the workspace skills directory. This level of persistence is consistent with its purpose.
Assessment
This skill appears to do what it says: it uses an OpenAI-compatible API key read from ~/.openclaw/secrets/openai_api_key, writes reports under ~/.openclaw/data/tech-brainstorm, and can dispatch results to outputs (Telegram, Nextcloud, email) if you configure them. Before installing/use: 1) verify and protect the API key file (chmod 600), 2) review and configure outputs (avoid enabling Telegram or mail dispatch unless you want those external deliveries), 3) confirm allowed_output_dirs if you plan to write reports outside ~/.openclaw, and 4) run python3 scripts/init.py (and --test-llm if desired) to validate connectivity. If you need higher assurance, inspect the dispatch implementation for how it invokes other skills (it uses subprocess.run and validates paths) and ensure only trusted skills are installed under ~/.openclaw/workspace/skills.
scripts/_dispatch.py:55
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9736460bq9rw12dfyyx5tzjzx83rw3x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🧠 Clawdis

Comments