Analytics Platform Base
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: analytics-platform-base Version: 1.0.0 The skill bundle promotes the installation of an obscure third-party NPM package ('orbcafe-ui') and specifically instructs the AI agent to read further documentation from within the 'node_modules' directory after installation (SKILL.md). This pattern is a known vector for supply-chain attacks and indirect prompt injection, as it allows the execution of instructions or code hosted externally that were not present during the initial security review.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the dependency will add third-party code to the user's project.
The skill instructs the user to install an external npm package without a pinned version. This is expected for a UI-library integration, but it introduces normal package supply-chain considerations.
npm install orbcafe-ui # or pnpm add orbcafe-ui
Review the npm package, its publisher, version, and dependency tree before installing it in a sensitive project.