ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Skill Growth

v0.1.1

Make OpenClaw Skills observable, diagnosable, and safely improvable over time. Use this when the user wants to maintain many SKILL.md files, inspect repeated...

1· 233·0 current·0 all-time
by@shuai-daidai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (skill maintenance, observation, propose/apply flows) align with the instructions and included docs. The package is explicitly a ClawHub wrapper that points to a GitHub repo; it does not request unrelated credentials or binaries.
Instruction Scope
SKILL.md instructs the user/agent to clone the GitHub repo and run npm scripts (scan, analyze, propose, report, apply). Those commands legitimately operate on local skill directories and run logs and can modify SKILL.md files when you execute an "apply" flow—this is expected for the stated purpose but means you should review proposals and use demo:dry-run before making changes.
Install Mechanism
No install spec in the wrapper itself (instruction-only). The README/INSTALL.md points to a GitHub repo and npm install/build/test steps for the real project — a standard approach. Note: installing the full project will run npm install and pull packages from the registry, which is typical but worth auditing if you require a fully locked supply chain.
Credentials
This wrapper declares no required environment variables, credentials, or config paths. The underlying project may require filesystem access (to skill dirs and run logs) and possibly repository/git credentials if you exercise apply flows against remote repositories, but nothing in this wrapper unexpectedly asks for secrets.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. The agent may invoke the skill autonomously (default), which is normal; this combined with the ability to run apply flows means the user should control when the plugin is run and prefer dry-run first.
Assessment
This wrapper is coherent and intended only to help you discover and run the full OpenClaw Skill Growth project. Before using it: (1) inspect the upstream GitHub repo and release to confirm authenticity, (2) run demo:dry-run and review generated proposals/patches before running any apply command, (3) if you run npm install for the full project, consider doing so in an isolated environment or CI runner and review dependencies, and (4) be cautious if you provide repository credentials or run apply against real skill directories because apply can modify SKILL.md files and bump versions.

Like a lobster shell, security has layers — review code before you run it.

latestvk971f36k120bs3be3tmd718b858311yymaintenancevk9789jvp0srac1fhtteff99z21831779observabilityvk9789jvp0srac1fhtteff99z21831779openclawvk9789jvp0srac1fhtteff99z21831779self-improvingvk9789jvp0srac1fhtteff99z21831779skillsvk9789jvp0srac1fhtteff99z21831779

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments