ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Claw Team Builder

v1.0.0

Agent团队创建和管理工具 - 用于创建多Agent协作团队,分配角色和任务,协调复杂工作流。支持创建CEO、分析师、研究员等角色,实现智能任务分发和结果整合。

0· 71·0 current·0 all-time
by@ryan-wuxl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is a multi-agent team/orchestration tool and declares node as a required binary, which is coherent. However, the SKILL.md's runtime commands call scripts (node scripts/*.mjs) that are not present in the skill bundle. That mismatch (instructions expecting local scripts but no code provided) is an inconsistency: either the skill is only documentation pointing to an external repo or it's incomplete.
!
Instruction Scope
Instructions explicitly tell the agent/user to run node scripts (create-team.mjs, assign-task.mjs, team-status.mjs). Those commands will execute arbitrary JavaScript if the scripts exist. The SKILL.md does not instruct reading unrelated system files or env vars, but because the actual scripts are absent, there's no way to verify what those scripts would do — they could perform network access, read credentials, or modify files.
Install Mechanism
There is no install spec and no files to write to disk from the skill itself. Instruction-only skills are low-risk in terms of automated installs. The homepage points to a GitHub repo (which is a normal location to host code), but the repo contents are not bundled here, so manual review would be required before running anything from that repo.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportionate to the SKILL.md presented. The main risk is that the referenced Node scripts (not included) might request credentials or read environment variables when executed — this cannot be determined from the provided materials.
Persistence & Privilege
always is false and the skill does not request persistent presence or elevated privileges. There are no instructions to modify other skills or system-wide settings in the SKILL.md.
What to consider before installing
This skill is an instruction-only guide that expects Node scripts (node scripts/*.mjs) to exist, but the package you installed contains no code files. Before running any of the example commands, manually inspect the referenced repository or scripts: clone the GitHub homepage, open the scripts (create-team.mjs, assign-task.mjs, team-status.mjs), and review what they do (network calls, file I/O, environment access). Only run scripts you trust, preferably in a sandbox or isolated environment. If you need automated behavior, prefer a skill that bundles source or a signed release; if the repository is intended as the source, verify the repo URL, commit history, and author identity first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffgk6es0ydwqpr6fj8w3mdd83dsdt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👥 Clawdis
Binsnode

Comments