ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

nexus-corporate-onboarder

v2.1.0

AI-powered employee onboarding with adaptive learning paths by role and compliance training.

0· 30·0 current·0 all-time
by@shuwanito
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md claims integrations with HRIS systems (SAP, Workday, BambooHR), automatic dashboarding, and data analysis. Yet the skill declares no required environment variables, no primary credential, and provides no instructions on how to authenticate or access those systems. Integrating with HRIS platforms normally requires API keys, OAuth secrets, service accounts, or connectors — their absence is incoherent with the stated capabilities.
!
Instruction Scope
The instructions are high-level and act as a design/workflow spec (audit, map competencies, design modules). They do not specify concrete runtime actions, files, API endpoints, or what data the agent should collect. That vagueness grants broad discretion to an agent and could lead to it requesting or accessing unrelated context or credentials at runtime if later coupled with code — this is scope-creep risk.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only. That minimizes immediate filesystem or third-party code risk because nothing will be downloaded or executed as part of an install.
!
Credentials
Given the claimed capabilities, I would expect required env vars (API keys, client IDs/secrets, service account paths) or at least instructions on how to provide connectors. The absence of any declared credential requirements is disproportionate and unexplained.
Persistence & Privilege
always is false and there are no install steps that modify agent config or system-wide settings. The skill does not request persistent privileges in its current form.
What to consider before installing
This package appears to be a high-level design or spec rather than an executable integration. Before installing or enabling it: (1) ask the author how HRIS integrations are achieved and where credentials are stored — do not hand over SAP/Workday/BambooHR credentials without clear, auditable connectors; (2) require the skill to declare any environment variables or config paths it will use and to provide concrete runtime steps or code for review; (3) if the skill later gains code or install steps, review those for network endpoints, OAuth flows, and any downloads; (4) run the skill with limited permissions or in an isolated environment until its runtime behavior is clear. If you need onboarding functionality now, prefer integrations that explicitly document authentication and data flows.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afv2r4k4k8nhjbe5mwq49w18421mt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏢 Clawdis
OSmacOS · Linux · Windows

Comments