ClawHub
Skill flagged โ€” suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cuihua Monorepo Manager

v1.0.0

๐Ÿ—๏ธ AI-powered monorepo management assistant. Automate workspace orchestration, dependency management, and build optimization for large-scale monorepo projects.

โญ 0ยท 98ยท0 currentยท0 all-time
by@supermario11

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for supermario11/cuihua-monorepo-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Cuihua Monorepo Manager" (supermario11/cuihua-monorepo-manager) from ClawHub.
Skill page: https://clawhub.ai/supermario11/cuihua-monorepo-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: node, git
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cuihua-monorepo-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install cuihua-monorepo-manager
Security Scan
VirusTotalVirusTotal
Benign
View report โ†’
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description and SKILL.md claim many advanced capabilities (dependency graph analysis, smart build ordering, cross-package change detection, automated versioning, CI/CD optimization). The only shipped code (monorepo.js) performs a very small workspace scan: it reads package.json and lists packages. It does not implement build-order computation, change detection, versioning, CI/CD integration, or network calls. Additionally, SKILL.md's metadata lists 'git' as required, but the code never invokes git. This is a substantive mismatch between claimed purpose and actual capability.
!
Instruction Scope
SKILL.md provides high-level user-facing capabilities but offers no concrete runtime instructions for the advanced behaviors it claims. The runtime artifact (monorepo.js) only reads package.json files under declared workspace patterns and prints package names; it does not access other system state, VCS history, or external services. Because instructions are vague and the implementation is minimal, the agent may be unable to fulfill user requests the skill advertises โ€” this is scope/incoherence rather than direct malicious behavior.
โœ“
Install Mechanism
There is no install spec โ€” the skill is instruction-only with a small local code file. That is low-risk from an install perspective (nothing downloaded from third-party URLs). The code shipped is short and readable; it performs local filesystem reads only.
โ„น
Credentials
The skill requires no environment variables and requests only standard binaries (node, git). However, the code does not use git at all, so declaring git as required is disproportionate and unexplained. No secrets or external credentials are requested, which is appropriate for the stated local-analysis tasks.
โœ“
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false), does not modify other skills or system-wide agent settings, and contains no code that writes persistent configuration beyond reading package.json files. Autonomous invocation is allowed by default, but that is normal and not by itself concerning here.
What to consider before installing
This skill appears to overstate what it can do. Before installing: (1) don't assume it performs build-order optimization, change detection, versioning, or CI integrations โ€” the shipped code only reads package.json files and prints package names; (2) ask the author or maintainer for a clear mapping of claimed features to code paths (or for an updated implementation); (3) because it declares git as required but doesn't use it, be cautious โ€” that may indicate missing code or sloppy metadata; (4) if you want those advanced features, prefer a skill with transparent, complete implementations or one from a known source; (5) test the skill in a sandboxed/local environment with non-sensitive repositories first. Additional information that would raise confidence to 'high': updated SKILL.md and code that actually implement and document change-detection (likely using git), dependency-graph construction, build-order algorithms, and any external integrations โ€” or a trustworthy homepage/author identity and changelog showing these features.

Like a lobster shell, security has layers โ€” review code before you run it.

Runtime requirements

Binsnode, git
latestvk979amrecnet1daxb0yt5hm4w183get4
98downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@supermario11
latest
Download

cuihua-monorepo-manager ๐Ÿ—๏ธ

Tame your monorepo with AI-powered automation

Intelligent monorepo management for Lerna, Nx, Turborepo, and Yarn/npm workspaces.

Features

  • ๐Ÿ“Š Dependency graph analysis
  • โšก Smart build ordering
  • ๐Ÿ”„ Change detection
  • ๐Ÿ“ฆ Version management
  • ๐Ÿš€ CI/CD optimization

Quick Start

"Analyze monorepo dependencies" "Optimize build order" "Detect affected packages"

Installation

clawhub install cuihua-monorepo-manager

License

MIT | Made with ๐ŸŒธ by ็ฟ ่Šฑ

Comments

Loading comments...