ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sovereign Codebase Onboarding

v1.0.0

Codebase onboarding assistant that maps project architecture, identifies patterns, generates guides, and helps new developers understand any repository in mi...

0· 521·1 current·1 all-time
by@ryudi84
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (codebase onboarding, architecture mapping, guides) match the SKILL.md phases and the examples. The skill only describes reading repository manifests, CI, Dockerfiles, directory trees, and code to build an onboarding guide—these requirements are proportional to its purpose.
Instruction Scope
SKILL.md instructs the agent to inspect repository files (manifests, CI, Docker, entry points, configs) which is expected. One minor narrative phrase in the Philosophy section references reading "memory files" and "the journal" (personal anecdote) — this is ambiguous but the actionable instructions that follow are limited to repository artifacts. No instructions request unrelated system-wide files, credentials, or outbound exfiltration.
Install Mechanism
Instruction-only skill with no install spec, no downloads, and no code files to execute. This minimizes surface area; nothing is written to disk or installed by the skill itself.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. That is proportional for a purely analytical onboarding skill that works by reading repository contents.
Persistence & Privilege
always:false (default) and the skill does not request persistent system-wide changes or modification of other skills. Autonomous invocation is allowed by platform default but is not combined with broad privileges here.
Assessment
This skill appears coherent for repository analysis: it reads manifests, source files, CI, and Docker/README to build an onboarding guide and asks for no credentials or installs. Before installing, consider: (1) only grant the agent access to repositories you are comfortable having analyzed (don’t expose private secrets like .env files or credentials), (2) review the full SKILL.md/EXAMPLES to confirm it won't be pointed to any external endpoints in your deployment, and (3) if your agent platform allows scoping skills to specific repos or read-only file sets, restrict access to limit exposure. If you want extra assurance, test the skill on a public or sanitized repo first.

Like a lobster shell, security has layers — review code before you run it.

latestvk975g7bx1ftt5sf1yct18d0adn81q4wh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🗺️ Clawdis

Comments