Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Acp Fallback
v1.0.1Automatically retries ACP vendors in priority order (codex, claude, pi, API) on failure, returning the first successful result with fallback logging.
⭐ 0· 78·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md claims automated fallback between multiple ACP vendors (codex, claude, pi, direct-api). However, the skill bundle contains no code, no helper script, and no declared credentials. Implementing multi-vendor calls would normally require vendor-specific credentials, SDK/CLIs, or shipped scripts — none are present or requested. This mismatch suggests missing pieces or incomplete packaging.
Instruction Scope
Instructions tell agents to 'source scripts/acp-fallback.sh' and to replace direct acpx calls with acp_exec, and to log to logs/acp-fallback.log. Because no scripts or install steps are provided, these runtime instructions are not actionable as-is. The doc also references model and vendor names (MiniMax, DeepSeek, OpenAI, GLM-5, etc.) that imply external credentials or APIs but never instruct how to obtain or store those secrets.
Install Mechanism
There is no install spec (instruction-only). That is low-risk by itself, but the SKILL.md explicitly expects a local script at scripts/acp-fallback.sh to be present and sourced; without an install step to place that file, the skill is incomplete. The lack of an install mechanism prevents verification of what would actually run.
Credentials
The metadata declares no required environment variables or credentials, yet the described functionality (calling Codex, Claude, Pi, OpenClaw's API, OpenAI, etc.) normally requires API keys/tokens. The omission of any declared secrets is disproportionate to the claimed cross-vendor behavior and is an inconsistency that should be resolved before use.
Persistence & Privilege
The skill does not request always:true and is not requesting elevated platform privileges. It does suggest writing fallback logs to logs/acp-fallback.log on disk, which is a limited persistence action but not inherently privileged. No evidence it modifies other skills or global agent config.
What to consider before installing
This skill's README-style instructions describe a useful fallback wrapper but the package contains no implementation, no install steps, and declares no API keys — yet its behavior requires them. Before installing or using this skill: 1) ask the publisher for the actual scripts (scripts/acp-fallback.sh and any helpers) and an install procedure; 2) require an explicit list of all environment variables/API keys needed and how they are used; 3) inspect the implementation for network endpoints and any code that transmits logs or secrets; 4) be cautious about replacing direct acpx calls globally — ensure you can opt out or revert; and 5) avoid supplying credentials until you can audit the script. The current package is incomplete and should not be trusted to run without those clarifications.Like a lobster shell, security has layers — review code before you run it.
latestvk97b1jqxkykshzpnrf678w591x849kyf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.