ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Consultoria Ia

v1.0.0

Consultoría integral de IA para PYMES que incluye diagnóstico McKinsey, diseño de soluciones personalizadas y seguimiento de ROI.

0· 73·0 current·0 all-time
byMarcelo@bustosmg

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for bustosmg/consultoria-ia.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Consultoria Ia" (bustosmg/consultoria-ia) from ClawHub.
Skill page: https://clawhub.ai/bustosmg/consultoria-ia
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install consultoria-ia

ClawHub CLI

Package manager switcher

npx clawhub@latest install consultoria-ia
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, and included docs (diagnosis, templates, agent configs, examples) match the stated purpose of an AI consulting workflow. However the SKILL.md and agent files request access to specific LLM flavors and runtime permissions (filesystem, exec, write, read, memory, tools) while the registry metadata lists no required env vars or binaries — a mismatch between what the package claims to require and what its instructions expect. Defining systemPrompts for agents is expected for this use case, but the metadata omission of required permissions/tools is surprising.
Instruction Scope
All runtime instructions are documentation-only (no install scripts), and the flows describe interviews, proposals, templates and ROI calculation. The agent configs embedded in files explicitly list tools like exec, write, read, web_search, memory_search and workspace paths and cron schedules — these allow the skill to run commands, read/write files, and schedule tasks. Those capabilities are plausible for a consulting skill that writes reports and scaffolds projects, but they broaden what the agent will do at runtime and should be limited to what's strictly necessary.
Install Mechanism
There is no install spec and no remote code download; this is an instruction-only skill with document files. That minimizes installation risk (nothing is automatically fetched/extracted).
Credentials
The registry shows no required environment variables or credentials, but README and SKILL.md refer to access to several LLM models (Claude Sonnet, GPT-4, Claude Haiku) and suggest optional configuration env vars (e.g., CONSULTORIA_PRECIO_HORA). The skill also references future integrations with external APIs (AFIP, MercadoLibre). Not requesting credentials in metadata is not necessarily malicious, but it's inconsistent: the skill expects model access and tool permissions without listing them formally. No explicit demand for unrelated cloud or secret credentials is present in files.
!
Persistence & Privilege
Although always:false, agent configuration files request workspace paths, a scheduled job (cron), and tools with high privilege (exec, read, write). These grant the skill the ability to execute commands, modify files, and persist data on disk — appropriate for scaffolding projects but also potentially dangerous if misused. The presence of exec/write in recommended tools increases the blast radius if the agent is allowed autonomous invocations; consider restricting these capabilities or reviewing exact commands the agent will run.
Scan Findings in Context
[system-prompt-override] expected: The skill contains explicit systemPrompt definitions for its agents (expected for multi-agent workflows). The scanner flagged a 'system-prompt-override' pattern — that can be benign (the skill defines agent behavior) but also indicates a potential prompt-injection technique. Review the systemPrompt strings for hidden or suspicious instructions and any attempts to override platform-level policies.
[unicode-control-chars] unexpected: The scanner detected unicode control characters in SKILL.md content. These can be used to obfuscate prompt-injection payloads or to manipulate how prompts are parsed. This is not expected for simple documentation and should be inspected (search for non-printable characters) before enabling the skill.
What to consider before installing
What to consider before installing: - Verify author and repo: the SKILL.md points to a GitHub issues URL and an email. Inspect the actual GitHub repository (commit history, issues, contributors) before trusting the skill. - Review agent tool permissions: agent configs request powerful tools (exec, read, write, schedule). If you don't need automatic code execution or filesystem writes, refuse or remove those tool permissions. Prefer read-only or limited-write capabilities. - Sandbox first: install and run the skill in an isolated/testing environment (no production secrets) to observe behavior. Check what files it creates and what commands it executes. - Check for hidden chars and prompt injection: search SKILL.md and agent files for non-printable/unicode-control characters and for any text that attempts to override platform/system prompts. Remove or sanitize suspicious content. - Limit autonomous invocation: although always:false, the skill could be invoked autonomously by the agent if enabled. If you must use it, restrict autonomy and verify outputs before letting it run commands. - Credentials and integrations: do not provide unrelated credentials (AWS, DBs, payment APIs) unless the skill explicitly documents why they are needed and you trust the author. Future integrations (AFIP, MercadoLibre) will require API keys — plan to provision those only after code review. If you want, I can: (1) scan the included files for non-printable characters and list any occurrences; (2) extract all agent tool lists and scheduled jobs for a focused review; or (3) prepare a minimal safe configuration (agents without exec/write) you can use to try the skill with limited privileges.
!
SKILL.md:37
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk973jvxmvjpdxhqhcf023chdd984v2tx
73downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
Marcelo@bustosmg
latest
Download

Skill: Consultoría IA

ID: consultoria-ia
Versión: 1.0.0
Autor: Marcelo Bustos mgbustos70@gmail.com
Licencia: CC-BY-NC-4.0
OpenClaw: >=2026.4.0

Descripción

Sistema completo de consultoría en inteligencia artificial para PYMES. Incluye metodología McKinsey para diagnóstico, desarrollo de soluciones personalizadas, y seguimiento de ROI.

Instalación

clawhub install consultoria-ia

Uso

# En conversación con OpenClaw
/consultoria diagnosticar [empresa] [vertical]
/consultoria proponer-solucion [problema]
/consultoria calcular-roi [inversion] [beneficio-esperado]

Comandos

  • diagnosticar - Realiza diagnóstico McKinsey de negocio
  • proponer-solucion - Diseña solución técnica de IA
  • calcular-roi - Calcula ROI de inversión en IA
  • seguimiento - Monitorea métricas de proyecto

Configuración

# En configuración de OpenClaw
agents:
  diagnosticador:
    model: claude-3-5-sonnet-20241022
    systemPrompt: "Eres consultor McKinsey especializado en IA..."
  
  desarrollador:
    model: gpt-4-turbo-preview
    systemPrompt: "Eres arquitecto técnico especializado en IA..."
  
  analista:
    model: claude-3-haiku-20240307
    systemPrompt: "Eres analista de datos especializado en ROI..."

Archivos incluidos

  • RESUMEN-EJECUTIVO.md - Documentación principal
  • flujo-entrevistas-mckinsey.md - Flujo diagnóstico
  • flujo-desarrollo-soluciones.md - Flujo desarrollo
  • agentes/ - Agentes especializados
  • templates/ - Plantillas reutilizables
  • checklists/ - Listas de verificación

Requisitos

  • OpenClaw 2026.4.0 o superior
  • Acceso a modelos: Claude Sonnet, GPT-4, Claude Haiku
  • Permisos: filesystem, memory, tools básicos

Ejemplos

Ver EJEMPLO-FERRETERIA.md para caso práctico completo.

Soporte

Issues: https://github.com/mgbustos/consultoria-ia-skill/issues
Email: mgbustos70@gmail.com

Changelog

1.0.0 (2026-04-13)

  • Versión inicial
  • Documentación completa
  • 3 agentes especializados
  • Templates y checklists
  • Ejemplo práctico

Publicado: 2026-04-13
Estado: Activo
Categoría: business/consulting

Comments

Loading comments...