Agent Benchmark

What to consider before installing/running: - Clarify the runner: SKILL.md describes a PowerShell runner, but the package includes index.js (Node) that actually runs tasks. Ask the author which runner is intended. - Runtimes required: index.js may spawn python, node, and go; the registry metadata declares no required binaries. Ensure you want those interpreters available on the host and that you trust code executed by them. - Arbitrary code execution: the benchmark executes task-provided code by writing files and spawning interpreters. If you (or untrusted third parties) add tasks, they can run arbitrary commands with your user permissions. Run only in an isolated/sandbox environment or inspect tasks before execution. - Persistent writes: the tool writes reports into a '../../memory' path outside the skill directory—inspect where that resolves in your environment and whether you want benchmark outputs (which may include environment values) stored persistently. - Review tasks and index.js: before running, open tasks/*.json and index.js to confirm no task prints secrets or calls external endpoints; the provided files show no external network calls, but tasks can be extended. - Safe deployment recommendations: run in a disposable VM or container, or run with restricted user privileges and no sensitive env vars present; consider removing support for languages you don't want to allow (or run the runner in a capability-restricted sandbox). If you want, I can (1) point out the exact lines in index.js that create temp dirs, spawn child processes, and write to '../../memory', or (2) propose a safer runner configuration (e.g., disable python/go, restrict to dry-run mode).

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.