ClawHub

Firm Ecosystem Audit Pack

v1.0.0

Ecosystem differentiation audit pack. MCP firewall, RAG pipeline, sandbox exec, context health, provenance tracking, cost analytics, and token budget optimiz...

0· 272·1 current·1 all-time
by@romainsantoli-web
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (ecosystem audits: MCP firewall, RAG, sandbox, provenance, cost, token budget) matches the SKILL.md content. The SKILL.md declares a dependency on mcp-openclaw-extensions >= 3.0.0 which plausibly provides the listed openclaw_* audit tools.
Instruction Scope
SKILL.md is an instruction-only wrapper that expects seven platform tools (openclaw_*). It does not itself ask the agent to exfiltrate secrets, but usage examples show passing config_path and session_data — the skill assumes those tools will read files/inputs. The instructions are terse and leave execution detail to the external extension, so a human should verify exactly what each tool reads or runs (especially sandbox_exec and firewall checks).
Install Mechanism
No install spec or code files are included (lowest installer risk). The only declared requirement is mcp-openclaw-extensions >= 3.0.0 in SKILL.md metadata; the skill is effectively a manifest that delegates actual behavior to that extension.
Credentials
The skill requests no environment variables, credentials, or config paths itself. Example usage references a config_path provided by the user — reasonable for an audit tool, but the real access/control depends on the external extension's behavior.
Persistence & Privilege
always is false, agent invocation is permitted (platform default). The skill does not request persistent presence or modify other skills; no elevated persistence privileges are declared.
Scan Findings in Context
[regex-scanner-no-findings] expected: The static scanner found nothing because this is instruction-only (no code files). This is expected; absence of findings does not prove safety — the actual behavior depends on the referenced mcp-openclaw-extensions.
Assessment
This skill is a manifest that calls seven platform audit tools provided by an external extension (mcp-openclaw-extensions >= 3.0.0). Before installing or running it: (1) Verify you have and trust the mcp-openclaw-extensions package (review its code or vendor/source). (2) Confirm what each openclaw_* tool does and what files/paths it will read or execute — the SKILL.md is terse and delegates behavior. (3) Be cautious when supplying config_path or session_data (they may contain secrets); only point to files you expect an audit to read. (4) If sandbox_exec or firewall-check tools can execute code or change policies, restrict their permissions or run in an isolated environment and perform a human review of results. If you cannot review the external extension or cannot trust its source, do not enable this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97af7b1yf6qf9pgmzwdvv6p15825wye

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments