ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

openclaw-kilo-agent

v1.0.0

High-performance coding agent and browser automation orchestrator using the Kilo CLI. Use when you need to: (1) Offload heavy-duty coding tasks (refactoring,...

1· 60·0 current·0 all-time
by@sabyaghosh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md clearly expects a locally installed Kilo CLI and the ability to launch MCP servers via npm/npx and Puppeteer; however the registry metadata declares no required binaries or installs. That omission is inconsistent: a Kilo orchestrator legitimately needs the Kilo binary (and often npm) available.
!
Instruction Scope
Instructions instruct the agent to run Kilo commands that control browsers (Puppeteer) and to use `--auto` to bypass interactive prompts. While browser automation is within the stated purpose, the guidance to always auto-approve operations and to invoke npm/npx MCP servers at runtime expands the agent's autonomy and can enable actions (navigation, form-filling, scraping) without explicit user confirmation.
Install Mechanism
No install spec is provided (lowest static installation risk). However the documentation requires runtime use of npm/npx to launch MCP servers (e.g., @modelcontextprotocol/server-puppeteer). That implies on-demand downloads and execution of third-party npm packages, which is higher-risk behavior not captured in the metadata.
!
Credentials
The skill declares no required environment variables or credentials, yet mentions integration with model providers, GitHub, and MCP servers which typically require tokens/keys. The absence of declared env requirements is inconsistent and may hide the need to supply sensitive credentials at runtime. Additionally, auto-approval increases the chance those credentials could be used without further prompts.
Persistence & Privilege
The skill is not forced-always and model invocation is allowed (normal). However the skill explicitly recommends `--auto` to bypass prompts, effectively increasing its ability to act autonomously. That autonomy combined with runtime npm downloads and possible credential use raises the blast radius if misused.
What to consider before installing
This skill looks like a thin instruction wrapper for the external Kilo CLI and Puppeteer MCP servers, but the registry metadata doesn't declare that dependency. Before installing or invoking: (1) Confirm you have a trusted, up-to-date Kilo CLI and understand its config at ~/.config/kilo/kilo.json; (2) be cautious about allowing the skill to run with `--auto` — that bypasses interactive approvals and can let automation act without asking you; (3) recognize that runtime use of `npx` will download and execute third-party npm packages (review the packages and their source); (4) do not provide sensitive tokens (GitHub, model provider keys, etc.) unless you trust the environment and have reviewed how they will be used; and (5) ask the skill author to update metadata to declare required binaries/env and to remove or justify the blanket recommendation to use auto-approval so you can make an informed risk decision.

Like a lobster shell, security has layers — review code before you run it.

latestvk9701ghngbcfyw92d3ycx8hegd83dnpa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments