ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cord Trees

v1.0.1

Dynamic task tree orchestration inspired by Cord protocol. Agent builds its own coordination tree at runtime — deciding decomposition, parallelism, and depen...

2· 389·0 current·0 all-time
byMolten Bot 000@moltenbot000
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe dynamic orchestration and the skill declares and uses OpenClaw tools (sessions_spawn, subagents, read, write) that are appropriate for spawning subagents, tracking state, and messaging humans. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md gives explicit runtime logic: create and update cord-state.json, spawn child sessions, poll subagents, message humans, and save results. These actions are within the skill's orchestration purpose, but the skill persists state to disk and autonomously creates and monitors subagents (potentially many). Review whether you accept that behavior and the contents stored in cord-state.json (which may include task results and any sensitive textual data).
Install Mechanism
Instruction-only skill with no install spec and no downloaded code; nothing is written to disk by an installer. Lowest-risk install mechanism.
Credentials
No environment variables, credentials, or external config paths are required. The declared tool usage matches the runtime instructions and does not request unrelated secrets.
Persistence & Privilege
always:false and default autonomous invocation are used (normal). The skill writes a local state file (cord-state.json) and spawns/manages subagents, which gives it ongoing runtime presence while active. It does not request elevated platform privileges or modify other skills' configs, but it can consume agent resources and create many child sessions—consider resource limits and monitoring.
Assessment
This skill appears coherent for building and running dynamic task trees: it will write a local cord-state.json and autonomously spawn and poll subagents, and it will send human-facing messages for 'ask' nodes. Before installing, decide whether you trust the agent to create and run child sessions (they can perform arbitrary tasks under the agent's authority) and whether storing task results locally is acceptable. If you have sensitive data, consider running it in a restricted environment, monitoring spawned subagents, and limiting run-time/concurrency. If you want tighter controls, ask the developer to add explicit rate/concurrency limits, redact rules for state files, or an option to disable autonomous spawning.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788vr7079q02jpzaks9am1g581xne0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments