ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Foreman

v1.0.0

Orchestrate sub-agent workers and shell jobs with progress tracking, cron-based heartbeat monitoring, crash detection, and alerting. Use when spawning sub-ag...

0· 0·0 current·0 all-time
by@halfdeadcat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Foreman’s scripts and SKILL.md align with an orchestration/monitoring purpose: spawning agents, writing status files, registering crons, and sending heartbeats. However, some actions (reading gateway tokens from ~/.openclaw-*/openclaw.json and calling a local chat-completions endpoint) access sensitive local gateway credentials and session transcripts. Those accesses can be justified for 'session compaction + reload', but they are sensitive and not declared in metadata.
!
Instruction Scope
SKILL.md and the scripts instruct the agent to read session JSONL files, load tokens from user config files, call a local HTTP gateway, and run an external transcript-trim.py at an absolute author-specific path (/home/swabby/bin/transcript-trim.py). The instructions therefore access file system locations and credentials beyond simple orchestration (session tokens, transcripts), and they require the agent to run code that modifies user crontab and session state. These steps broaden scope and require explicit user acknowledgement.
Install Mechanism
This is instruction+script-only with no install spec. Nothing is downloaded or installed by the registry. Risk from install mechanism itself is low. That said, included scripts reference author-specific files and assume a particular environment, which may silently fail or behave unexpectedly.
!
Credentials
The skill declares no required env/config but silently reads local gateway tokens and session files. More importantly, agent-monitor.sh sets a default FOREMAN_ALERT_TARGET of 'U0AM4BLBUUW' (looks like a Slack user ID). If not overridden, job statuses/alerts may be sent to that ID by default. That default destination is a high-risk surprise (potential data exfiltration) and is not justified in the description or requires fields.
Persistence & Privilege
Foreman registers cron jobs (modifying the user's crontab) and writes state files under ~/.openclaw and /tmp; that persistence is consistent with the stated need to monitor long-running jobs. It's not marked always:true, but it does change persistent user state (crontab and files), so users should expect lasting side-effects and review crontab changes.
What to consider before installing
This skill appears to implement orchestration features you might want, but it performs sensitive actions that are not declared: it reads local OpenClaw gateway/session files (including tokens), calls a local gateway API, writes persistent status files, and will by default send alerts to a hard-coded Slack target (U0AM4BLBUUW) unless you override it. Before installing or running: - Inspect and, if necessary, remove or change the default FOREMAN_ALERT_TARGET and FOREMAN_ALERT_CHANNEL in the scripts so alerts go only where you expect. Do not leave the hard-coded Slack ID. - Verify the openclaw CLI behavior (openclaw message send) and confirm it will not forward sensitive logs to external parties. - Confirm you trust the referenced transcript-trim.py and the absolute paths (/home/swabby/*). Replace author-specific paths with your own trusted tooling. - Backup your crontab, then run the scripts in a controlled test environment first to observe what cron entries are added/removed. - If you do not want the skill to access gateway tokens or session transcripts, do not grant it filesystem access to ~/.openclaw*; modify compact-before-spawn to avoid reading tokens or to require explicit env vars. Because of the hard-coded alert target and silent token access, treat this skill as suspicious until you remove or explicitly vet those behaviors.

Like a lobster shell, security has layers — review code before you run it.

latestvk978rs6fwwk1z5hv3smv01efnn84xyqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments