ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Concurrent Process Algebra for AI Agents

v2.0.0

Manage AI agent workflows using concurrent process algebra patterns like parallel tasks, branch-fix loops, fan-out comparisons, and session status tracking.

0· 84·0 current·0 all-time
byJosé I. O.@jose-compu

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for jose-compu/cpa-agents.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Concurrent Process Algebra for AI Agents" (jose-compu/cpa-agents) from ClawHub.
Skill page: https://clawhub.ai/jose-compu/cpa-agents
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cpa-agents

ClawHub CLI

Package manager switcher

npx clawhub@latest install cpa-agents
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe multi-agent orchestration and the SKILL.md provides operators (saga, invertible, converse, guard, etc.) and JSON command shapes that match that purpose. Requesting an OpenClaw Gateway and session context (appendEvent) is consistent with an OpenClaw integration. However, asking the user to install an external npm package ('cpa-agents') is a notable dependency that is not bundled or verified by the skill manifest; the skill metadata lacks a homepage or source to justify that dependency.
Instruction Scope
The runtime instructions stay within the stated domain (workflow operators, commands like parallel/branch-fix/fan-out/status). They do not instruct reading arbitrary system files, exfiltrating data, or accessing unrelated environment variables. The only out-of-band action is the explicit 'npm install cpa-agents' instruction, which extends the skill's runtime behavior to code downloaded from the npm ecosystem.
!
Install Mechanism
The skill is instruction-only (no install spec), yet directs users to run 'npm install cpa-agents'. There is no provided provenance, homepage, or source repository for that package in the skill metadata. Installing an unvetted npm package can introduce postinstall scripts, remote code execution, or supply-chain compromise. The lack of an official install specification or known release host increases the risk.
Credentials
The skill does not declare or require any environment variables, credentials, or config paths. Its stated runtime needs (OpenClaw Gateway and a session context providing appendEvent) are proportional to the orchestration purpose and are not excessive.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges in the manifest. It does not instruct modifying other skills or system-wide agent settings. Autonomous invocation is allowed (platform default) but is not combined with other red flags here.
What to consider before installing
This skill appears to do what it says (CPA-based agent orchestration) but it tells you to 'npm install cpa-agents' while providing no homepage, source repo, or provenance. Before installing or running it: 1) Verify the 'cpa-agents' package on the npm registry (owner, publish history, recent versions, maintainers). 2) Inspect the package contents and postinstall scripts (prefer cloning the repo or reviewing source before installing). 3) Run the package in an isolated environment (container or sandbox) first. 4) Ask the skill author for the source repository, changelog, and security contact; prefer skills that include a vetted install spec or published releases on a known host. 5) Ensure OpenClaw Gateway/session contexts are isolated from secrets and production systems while testing. If you cannot verify the package/source, treat this as untrusted and avoid installing it in sensitive environments.

Like a lobster shell, security has layers — review code before you run it.

latestvk971z621a49q59jxs5wac7h5ex84qxfy
84downloads
0stars
2versions
Updated 2w ago
v2.0.0
MIT-0
José I. O.@jose-compu
latest
Download

CPA Agents for OpenClaw

Version: 2.0.0

Use concurrent process algebra for practical multi-agent orchestration in OpenClaw. This skill is focused on production workflows: parallel execution, branch-fix loops, model fan-out, and session status introspection.

Install

1) Install library dependency

npm install cpa-agents

2) Create skill entrypoint

import { createOpenClawSkill } from "cpa-agents/adapters/openclaw";

export default createOpenClawSkill();

3) Runtime prerequisites

  • OpenClaw Gateway is running and reachable.
  • Skill host supports async command handlers.
  • Session context provides appendEvent for trace streaming.

Advanced operators

Use these when you need stronger control over failures, rollback, and data lineage.

Undo / rollback (invertible + saga)

  • invertible(forward, undo) defines a step plus compensating action.
  • saga([...steps]) executes steps in order; on failure, runs undo in reverse order.
  • Best for workflows with side effects (branch creation, file writes, merges, etc.).

Pattern:

import { invertible, saga } from "cpa-agents";

const workflow = saga([
  invertible(createBranch, deleteBranch),
  invertible(writeCode, revertCode),
  invertible(runValidation, cleanupValidation),
]);

Provenance (converse)

  • converse(R, inverseFn) is relational provenance, not operational undo.
  • Use it to answer: "which input(s) could have produced this output?"
  • Keep this separate from rollback logic (invertible/saga).

Pattern:

import { rel, converse } from "cpa-agents";

const generate = rel("generate", async (prompt: string) => [prompt + "-out"]);
const provenance = converse(generate, async (output: string) => [output.replace("-out", "")]);

Guarded flow (guard, guardValue, ifThenElse)

  • Use guard(...) to block unsafe execution.
  • Use guardValue(...) when a required value must exist.
  • Combine with ifThenElse(...) for conditional routing.

Reliability (retryWithBackoff, timeout, or)

  • retryWithBackoff for transient failures.
  • timeout(ms, process) to bound execution.
  • or(primary, fallback) for fallback routing when primary fails.

Practical guidance: undo vs converse

  • Use undo (invertible + saga) when you must reverse side effects.
  • Use converse for provenance/audit and lineage queries.
  • Typical production setup uses both:
    • saga during execution
    • converse for post-run explainability

Commands

parallel

Run independent tasks concurrently.

{
  "tasks": [
    "analyze failing tests",
    "draft fix proposal",
    "write migration notes"
  ],
  "timeout": 300000
}

branch-fix

Run one task, and if errors are returned, branch into fix flow and continue.

{
  "task": "implement auth middleware and resolve lint issues",
  "timeout": 300000
}

fan-out

Run the same task across multiple models and merge outputs.

{
  "task": "propose API surface for agent orchestration",
  "models": ["model-a", "model-b"],
  "timeout": 300000
}

status

Return the current CPA process tree/status for the session.

{}

Recommended prompts

  • "Run parallel: audit security risks, propose patch plan, generate tests"
  • "Branch-fix this refactor until no type errors remain"
  • "Fan-out this architecture question across two models and compare"
  • "Show cpa status"
  • "Execute as saga: create branch, patch files, validate, rollback on failure"
  • "Show provenance: what input likely produced this output?"

Troubleshooting

  • Gateway not connected:
    • Start OpenClaw Gateway and retry.
  • Unknown command:
    • Use one of: parallel, branch-fix, fan-out, status.
  • Timeout:
    • Increase timeout in command args.
  • Missing session events:
    • Ensure session context is present and appendEvent is enabled.
  • Rollback did not occur:
    • Verify steps are wrapped with invertible(...) and executed with saga(...).
  • Provenance unclear:
    • Provide an explicit inverseFn when defining converse(...).

Comments

Loading comments...