ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

The Agent Production Hardening Guide

v1.3.1

The Agent Production Hardening Guide. Step-by-step playbook to take AI agent systems from pilot to production with SLOs, circuit breakers, cost guardrails, a...

0· 116·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchasesRequires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill is described as an educational guide with examples that use the GreenHelix sandbox (which the guide says requires no API key). Despite that, the registry metadata and SKILL.md credentials block declare GREENHELIX_API_KEY as a required primary credential. Requiring a gateway API key appears disproportionate to a read-only guide and is not justified by the prose; it could be legitimate if live, non-sandbox examples or integration demos run when a key is present, but that behavior is not documented clearly.
Instruction Scope
SKILL.md is an instruction-only guide and explicitly states it does not execute code or install dependencies. The content references live integrations with the GreenHelix gateway and 'working Python code' examples; those examples may include network calls to GreenHelix endpoints when run by a user. The instructions do not appear to direct the agent to read unrelated system files or secrets, but the file contradicts the declared required env var and does not clearly explain when/why the API key will be used.
Install Mechanism
No install spec and no code files — lowest-risk delivery model. Nothing is written to disk by an installer because this is instruction-only.
!
Credentials
Only a single credential (GREENHELIX_API_KEY) is requested which is plausible for a guide that demonstrates integration with a specific gateway. However, the guide itself asserts the sandbox needs no API key and frames the key as 'you supply these in your own environment', yet the registry marks it as required/primary. That inconsistency suggests the key requirement may be unnecessary or misdeclared. If the skill were to be granted the key, it would have read/write access to 'purchased API tools' per the guide, which is more privilege than a static documentation artifact needs.
Persistence & Privilege
always is false and there is no install step that modifies other skills or system configuration. The skill is not requesting persistent presence or elevated agent-wide privileges.
What to consider before installing
This guide itself looks legitimate as documentation, but the registry claiming GREENHELIX_API_KEY is required conflicts with the SKILL.md text that says the sandbox needs no key. Before providing any sensitive API key: 1) Inspect the full SKILL.md to find any code examples that read process.env.GREENHELIX_API_KEY or call non-sandbox endpoints; if you see live network calls, note when they run and whether they transmit user data. 2) Do not supply a production/organizational GreenHelix key to the skill — if you want to test, create a least-privilege or expendable API key (or use the sandbox account it mentions). 3) Ask the publisher (owner ID) to clarify whether the env var is optional and to document exactly what examples will do when a key is present. 4) If you must supply a key, restrict its scope and monitor usage; revoke it if unexpected activity occurs. If you cannot get a clear answer about why the key is mandatory, treat the metadata as a red flag and avoid providing credentials.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk979ata93sr6xzd9k3r734tjd984xdrkcircuit-breakervk979ata93sr6xzd9k3r734tjd984xdrkcost-guardrailsvk979ata93sr6xzd9k3r734tjd984xdrkeu-ai-actvk979ata93sr6xzd9k3r734tjd984xdrkgreenhelixvk979ata93sr6xzd9k3r734tjd984xdrkguidevk979ata93sr6xzd9k3r734tjd984xdrkhardeningvk979ata93sr6xzd9k3r734tjd984xdrklatestvk979ata93sr6xzd9k3r734tjd984xdrkopenclawvk979ata93sr6xzd9k3r734tjd984xdrkproductionvk979ata93sr6xzd9k3r734tjd984xdrkslovk979ata93sr6xzd9k3r734tjd984xdrk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvGREENHELIX_API_KEY
Primary envGREENHELIX_API_KEY

Comments