ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Identity Kit

v1.0.0

Create, validate, and manage agent identity cards (agent.json) following the Agent Card v1 schema with interactive setup and validation tools.

1· 2.7k·15 current·17 all-time
by@ryancampbell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (agent identity card generator/validator) matches the included files: an agent JSON schema, examples, an interactive init script, and a validator script. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
SKILL.md instructs only local operations: run ./scripts/init.sh to create agent.json and ./scripts/validate.sh to validate against the included schema. The validate script may auto-install a validator (ajv-cli via npx or python jsonschema via pip) if missing — this is expected for validation but is an active operation that will perform network installs when run.
Install Mechanism
No install spec; this is an instruction-only skill with shell scripts and static JSON files. There are no downloads or extracted archives included in the package. The only runtime behavior that pulls remote code is when validate.sh invokes npx or pip to install validators if they are absent.
Credentials
The skill requests no environment variables or credentials. The only noteworthy behavior is that validate.sh will attempt to install tools (npx/ajv-cli or pip jsonschema) if absent, which requires network access and will install packages into the user's environment (potentially globally). No secrets are read or transmitted by the scripts.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify other skills or system-wide agent settings. It writes only the user-provided agent.json file and does not persist credentials or change configuration beyond that file.
Assessment
This package appears to do exactly what it claims: generate and validate agent.json identity cards. Before running: (1) review the init.sh output location — it writes a file (agent.json by default) using your inputs; inputs are inserted verbatim into JSON so avoid entering untrusted/executable text; (2) be aware validate.sh may install validation tooling via npx or pip if they aren't present — this requires network access and may install packages globally; (3) the scripts do not access secrets or external endpoints beyond optional package installs and the SKILL.md links to foragents.dev; if you are comfortable allowing local installs and creating a local JSON file, this skill is coherent and low risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ec5szkpzqp95zmyc6rcwvws80h59f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments