ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Automate

v1.0.0

Identify tasks that waste tokens. Scripts don't hallucinate, don't cost per-run, and don't fail randomly. Spot automation opportunities and build them.

2· 1.5k·5 current·6 all-time
byIván@ivangdavila
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (spot token-waste and create scripts) matches the SKILL.md, signals.md, and templates.md contents: all materials focus on detecting repetitive deterministic tasks and providing script templates. One mismatch: the skill declares no required binaries/env, but templates assume common command-line tools (jq, python3, curl, git, gh, npx, macOS 'security' CLI). That is plausible for a general automation skill, but the missing explicit binary requirements is an operational gap the user should be aware of.
Instruction Scope
Instructions stay within the stated purpose (identify automation candidates, standardize and produce scripts). However several templates perform local file operations, run git, call network endpoints, or retrieve credentials from a keychain (example uses `security find-generic-password`), so the agent or a user following templates could access local files, run commands, and call external APIs. Those behaviors are coherent with automation but require manual review before execution.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is downloaded or written by the skill itself.
Credentials
The skill declares no required environment variables or credentials, which matches its advisory nature. Templates do show patterns for fetching tokens (keychain) or using CLI auth (gh, npx), but they do not demand secrets from the platform. Verify any templates that access stored credentials before use; the skill does not request broad credentials itself.
Persistence & Privilege
always:false and no attempt to modify other skills or system-wide agent settings. The skill is instruction-only and does not request persistent presence or elevated privileges.
Assessment
This skill is an advisory library of patterns and scripts — it appears coherent and not malicious, but exercise caution before running any suggested template: - Review each script line-by-line before executing; templates include file operations, git pushes, network calls, and an example that pulls a token from the macOS keychain. - Don’t run templates with elevated privileges or in production directories until tested in a sandbox. - Install and verify required CLI tools (jq, python3, curl, git, gh, npx, etc.) yourself — the skill doesn’t declare them. - Replace placeholder endpoints (e.g., api.example.com) and verify API tokens/sources; never copy a template that fetches credentials without understanding where they come from. If you want a stricter posture, only use the detection and proposal parts of the skill and have a human author the scripts rather than auto-executing templates.

Like a lobster shell, security has layers — review code before you run it.

latestvk9707dmpqye1gxqxazjx5p2exn8117ka

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments