ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Project Loop

v1.0.2

Run approved long-running project work from file-backed state, continue through self-clearable tasks, pause cleanly at real gates, and recover across sessions.

0· 72·1 current·1 all-time
bySebastian The Claw@sebclawops
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (long-running, file-backed project loop) match the instructions: the SKILL.md prescribes reading/writing project files, a state machine, chunked execution, validation, and pause/resume behavior. No unrelated binaries, env vars, or install steps are requested.
Instruction Scope
Instructions stay within orchestration scope (read/write project files, validate outputs, advance state). A few phrases are ambiguous and grant operational discretion that could have practical impact: 'verify state.json against actual reality' and 'send a status update at least every 5 minutes' do not specify what endpoints/channels to use or what 'verify reality' entails. Also the rule 'do not wait for human confirmation between self-clearable tasks' intentionally enables autonomous progress — appropriate for the purpose but important for operators to understand.
Install Mechanism
No install spec and no code files — instruction-only skill. This is the lowest-risk install model and matches the skill design.
Credentials
The skill declares no environment variables, no credentials, and no config paths. The runtime instructions reference only project files under agents/<agent-id>/projects/<project-slug>, which is proportionate to the stated orchestration purpose.
Persistence & Privilege
The skill is not flagged always:true and requires user invocation; the platform default allows autonomous invocation by the agent (disable-model-invocation: false). That autonomous capability is consistent with the skill's goal (it explicitly directs continuing through self-clearable tasks), but users should be aware it can make multi-turn, unattended progress within the project folder.
Assessment
This skill is coherent for orchestrating long-running, file-backed projects and does not request credentials or install software. Before installing: 1) confirm you only use it for explicitly approved projects and that project folders (agents/<agent-id>/projects/<project-slug>) do not contain sensitive secrets the agent shouldn’t modify; 2) review how your agent identity maps to state.json.owner_agent so the correct agent executes tasks; 3) be aware it can proceed autonomously across multiple turns (it forbids waiting for human confirmation on self-clearable tasks) and will send regular status updates (every ~5 minutes) — decide whether you want that behavior and where updates will be delivered; 4) consider testing it in a sandbox project to verify 'verify reality' and status-update behavior are acceptable before using on critical projects.

Like a lobster shell, security has layers — review code before you run it.

latestvk9775gjxyz6z4n5yc6x0ep917d839717

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments