Ai Agent Configurator
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ai-agent-configurator Version: 1.0.0 The skill bundle instructs the AI agent to install and use an external NPM package named 'orbcafe-ui' (SKILL.md). This presents a significant supply chain risk, as it encourages the agent to fetch and execute unverified third-party code. Furthermore, the instructions direct the agent to consult documentation located within the 'node_modules' directory after installation, a tactic that could be used to bypass initial static analysis by hiding further malicious instructions inside the downloaded package.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing any npm package can add third-party code to your project, so the package should be trusted before use.
The skill instructs the user to install a third-party npm package. This is aligned with the stated React UI implementation purpose, but the package version is not pinned and the package provenance is not otherwise described.
npm install orbcafe-ui # or pnpm add orbcafe-ui
Review the npm package, consider pinning a known-good version, and use normal dependency review practices before adding it to a project.