ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Workflow Builder

v1.0.0

Implement Agent Workflow Builder using OrbCafe UI (CustomizeAgent). Enterprise-grade React component with built-in best practices.

0· 271·0 current·0 all-time
by@shenruiyang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description state this is an Agent Workflow Builder implemented with OrbCafe UI. The SKILL.md only instructs installing the orbcafe-ui npm package and importing CustomizeAgent — which is exactly what you'd expect for a UI integration.
Instruction Scope
Runtime instructions are limited to installing the NPM package and a minimal usage snippet. The instructions do not ask the agent to read system files, environment variables, or exfiltrate data.
Install Mechanism
There is no built-in install spec (instruction-only). The SKILL.md recommends installing from the public npm registry (npm/pnpm), which is an expected mechanism for a React UI library. No downloads from arbitrary URLs or archives are instructed.
Credentials
The skill declares no required environment variables, credentials, or config paths — appropriate for a UI/component integration guide.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no config writes or cross-skill modifications).
Assessment
This skill is just documentation showing how to use an npm UI package; the primary remaining risk is the third-party package (orbcafe-ui) it tells you to install. Before installing, verify the package on the npm registry: check the package page, maintainers, download counts, repository/homepage, and recent versions. Inspect the package contents (npm pack + tar inspection) for any unexpected postinstall scripts or binaries, prefer pinning a version in a lockfile, and consider installing/testing in an isolated environment (container/CI job with minimal permissions). If the package or its homepage/repo is unavailable or looks suspicious (typosquatting, no repo, or unexpected postinstall behavior), avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk971381b168ck3t0z6p4whvtsx82xxjg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments