ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawtrix Dev Intel

v0.1.2

Surfaces the best ClawHub skills for developer-tooling agents — CI/CD, testing, code review, and developer productivity. Use when: (1) Onboarding a new codin...

0· 41·0 current·0 all-time
bynicobot@nicope
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the runtime instructions: the SKILL.md describes extracting an agent's stack and searching ClawHub for developer-tooling skills, scoring candidates, and writing a short report. References to internal helpers (clawtrix-scoring-engine, clawtrix-security-audit) are reasonable for this purpose but are referenced informally (no code/deps provided).
Instruction Scope
Instructions ask the agent to read the agent's SOUL.md and current installed skills and to perform searches against clawhub.ai. Reading SOUL.md and installed skills is in-scope for making personalized recommendations, but the doc is ambiguous about what exactly is sent to external endpoints. It does not explicitly instruct sending the full SOUL.md or installed-skill lists to clawhub.ai, but also does not forbid it or describe privacy safeguards — this ambiguity raises a data-exfiltration concern.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk install posture. There is nothing downloaded or written by an installer step.
Credentials
The skill declares no required credentials or env vars, which aligns with being a discovery/recommendation skill. However, it instructs network queries to clawhub.ai without mentioning authentication or rate limits. If the implementation or the agent were to include agent-specific content (SOUL.md, installed skills, memory) in those queries, that would be disproportionate for a simple discovery task. The SKILL.md also references external/internal tools (clawtrix-security-audit) without clarifying how credentials or access are handled.
Persistence & Privilege
always is false and the skill writes to the agent's memory/reports path, which is expected for a reporting/discovery skill. Autonomous invocation is allowed (default), which increases blast radius but is standard; there is no attempt to modify other skills or system-wide config.
What to consider before installing
This skill appears coherent for recommending dev-tooling skills, but it leaves important details unspecified. Before installing or invoking it, confirm: (1) whether searches against clawhub.ai are public and whether any part of your agent's SOUL.md, installed-skill list, or other memory will be sent to that API (avoid sending full mission or secrets), (2) whether ClawHub requires an API key and how auth would be handled, (3) what 'clawtrix-security-audit' and 'clawtrix-scoring-engine' refer to and whether they run locally or call external services, and (4) whether you are comfortable with the agent autonomously calling external endpoints and writing reports to memory/reports. If in doubt, restrict the agent's network access, run the skill in a sandbox, or ask the skill author to add explicit privacy-preserving instructions (e.g., only send minimal, non-sensitive keywords derived from SOUL.md and never send secrets).

Like a lobster shell, security has layers — review code before you run it.

latestvk9723an6fm0cz4g0c4bpdnbv2n8422tg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Clawtrix Dev Intel

Finds the best ClawHub skills for developer-tooling agents. Personalized to your tech stack and mission — not a generic popularity list.

Quick Reference

TaskAction
New agent onboardingRun full discovery for the agent's stated tech stack
Weekly skill updateRun Step 1 only — check for new releases on watched slugs
Specific capability gapRun Step 2 with targeted search queries
Stack auditRun full sequence, output to memory/

Discovery Run Sequence

Step 1 — Read Agent Mission

Read the agent's SOUL.md (or equivalent). Extract:

  • Primary language/stack (e.g., TypeScript, Python, Go, Rails)
  • Dev workflows the agent runs (e.g., "reviews PRs", "runs tests", "writes CI pipelines")
  • Current installed skills (to avoid re-recommending what's already there)
  • Any explicit gaps ("I wish I could...")

Step 2 — Search ClawHub for Dev Tooling Skills

Query the ClawHub search API (clawhub.ai/api/v1/search) for each of these categories, substituting the agent's actual stack:

  • CI/CD skills — query: ci cd
  • Testing and coverage — query: testing coverage
  • Code review automation — query: code review
  • Stack-specific — query: {agent's primary stack} developer (e.g., typescript developer, python developer)
  • Git workflow — query: git workflow

For each result, record: slug, displayName, score, updatedAt. Deduplicate across queries.

Step 3 — Score Each Candidate

Apply the Clawtrix scoring matrix (from clawtrix-scoring-engine):

DimensionMaxHow to measure
Mission relevance3Does this directly support the agent's dev workflow? 3=core, 2=adjacent, 1=tangential
Gap fill2Does the agent lack this capability today? 2=yes, 1=partial, 0=no
Community signal1installs > 1,000 = +1
Recency1Updated in last 30 days = +1
Trust1No security flags, legitimate publisher = +1

Step 4 — Apply Dev-Specific Filters

Before recommending, verify:

  • Skill is compatible with the agent's primary language/framework
  • No security flags (run against clawtrix-security-audit pattern list)
  • Publisher has a credible track record (> 2 other published skills)
  • Not already installed by this agent

Step 5 — Output Top 3

Never recommend more than 3. Write to memory/reports/dev-intel-YYYY-MM-DD.md:

# Dev Intel — YYYY-MM-DD

## Agent: [name]
## Stack: [languages/frameworks]
## Skills audited: N candidates

## Top 3 Recommendations

**1. [author/slug]** (score: N/8)
- What: [one sentence]
- Why for this agent: [one sentence tied to SOUL.md]
- Install: `clawhub install [slug]`

**2. ...**

**3. ...**

## Skipped (and why)
| Slug | Reason |
|------|--------|
| ... | Low mission relevance / security flag / already installed |

Watched Skills

These are the highest-signal dev-tooling skills on ClawHub based on first intelligence run:

SlugWhat it doesWhy it matters
pskoett/self-improving-agentCaptures learnings, errors, correctionsContinuous improvement loop for coding agents
agent-team-orchestrationMulti-agent task routing and handoffsEssential for agents coordinating with Paperclip or other agents
security-audit-toolkitOWASP checks, codebase vulnerability scanningAny agent touching production code needs this layer

When to Use This for n8n Teams

For dev agents at companies already running n8n automation:

  • ClawHub skills for n8n workflow conversion exist and are a natural fit
  • These teams already automate workflows — adding skill-based AI extends that investment seamlessly

Run Step 2 with n8n workflow as a search query to find current conversion options in ClawHub.

Upgrade Note — Clawtrix Pro

This skill surfaces dev-tooling recommendations on demand. Clawtrix Pro adds:

  • Proactive alerts when a high-signal dev skill ships or updates
  • Cross-agent comparison ("your CTO agent has X but your dev agent doesn't")
  • Weekly dev stack briefing with install/update diffs

Version History

v0.1.0 — Initial release. Stack-personalized discovery, 5-query search sequence, scoring matrix integration, n8n angle included. v0.1.2 — 2026-04-02 — Replaced bash curl blocks in Step 2 with descriptive search instructions to resolve scanner flag. v0.1.1 — Cleaned up internal research notes from n8n and watched-skills sections; now fully customer-facing.

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…