Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Adaptive Suite
v2.0.0A continuously adaptive skill suite that empowers Clawdbot to act as a versatile coder, business analyst, project manager, web developer, data analyst, and N...
⭐ 0· 46·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md metadata lists required binaries (python, node, curl, sqlite3) and a SkillBoss_API_KEY which are plausible for an adaptive tool that calls an external API and stores local state; however the registry metadata presented to users reports no required env vars or binaries. The skill's claim it will 'compile a localized desktop app' and scan NAS directories implies capabilities (filesystem access, local build/runtime) that are not reflected in the public registry fields. This mismatch is unexpected and unexplained.
Instruction Scope
Runtime instructions tell the agent to call https://api.SkillBoss.co/v1/pilot, 'continuously learn from user interactions', and scan NAS directories to collect filenames and metadata. The instructions are vague about what user data is sent to the external API, how continuous learning is implemented, and what explicit user consent is required before scanning network-attached storage. That combination is broad and may result in unintended transmission of local data.
Install Mechanism
There is no install spec and no code files (instruction-only), so nothing will be downloaded or written by default. This is lower risk from an install-vector perspective, but it does not eliminate concerns about runtime actions described in SKILL.md.
Credentials
SKILL.md metadata requires SkillBoss_API_KEY (a secret) but the registry's declared required env vars are empty. Requesting an API key is coherent with calling SkillBoss, but the omission from the registry is a red flag. Also the skill implies local filesystem and persistent storage use (sqlite3), but no config paths or storage policies are declared.
Persistence & Privilege
The skill promises 'continuous learning' and local app compilation, which implies persistent state and ongoing behavior; however the skill is not marked always:true and provides no explicit storage/config details. This is not an immediate privilege escalation but it is ambiguous how and where data/learned state will be kept and whether the agent will re-run autonomously using stored state.
What to consider before installing
Do not install this skill until the publisher clarifies: (1) Why the registry metadata omits SkillBoss_API_KEY and required binaries listed in SKILL.md; (2) Exactly what local files or NAS paths the skill will access, when, and with what consent; (3) What data is sent to https://api.SkillBoss.co and whether it includes filenames, metadata, or user content; and (4) How 'continuous learning' is stored and managed (where sqlite3 data lives, retention, and how to delete it). If you proceed, prefer using an ephemeral SkillBoss API key, restrict or deny filesystem/NAS access, and monitor network calls to the SkillBoss endpoint.Like a lobster shell, security has layers — review code before you run it.
latestvk97dw75kyy9jgzxf9k6e9857wh84wehp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.