ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agentic Supply Chain Orchestration

v1.0.0

Agentic Supply Chain Orchestration. Build multi-agent supplier networks that self-heal: supplier discovery, real-time SLA monitoring, disruption detection wi...

0· 0·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (agentic supply-chain orchestration) is plausible, but the SKILL.md repeatedly promises 'production-ready Python code' and direct use of the GreenHelix A2A Commerce Gateway API. The published bundle contains only a long markdown guide and no code or declared credentials for the external API, which is disproportionate and inconsistent with the claim that working code is included.
!
Instruction Scope
The SKILL.md explicitly references calling a third-party API at https://api.greenhelix.net/v1 and describes using a POST /v1/execute gateway and 128 tools. Because the skill contains no code files or declared auth variables, it's unclear how agents are expected to authenticate or where production code should come from. Instructions that direct the agent to interact with an external service without providing or requesting credentials broaden the agent's network-scope in an unexplained way.
Install Mechanism
There is no install spec and no files beyond SKILL.md, which minimizes on-disk/execution risk. However, the guide's reliance on an external API (and implied downloadable/available code) means the actual runtime behavior depends on where the agent obtains code or credentials — that external fetch behavior is not described in the package and could introduce risk later.
!
Credentials
No environment variables or credentials are declared, yet the guide expects use of a commercial API gateway that would almost certainly require authentication. The absence of any declared primary credential (API key, token, or OAuth) is inconsistent and suspicious: a legitimate integration guide would specify required keys, scopes, or how to obtain them.
Persistence & Privilege
The skill does not request persistent/always-on presence and defaults to normal invocation semantics. It does not declare any system config paths or elevated privileges in the package, so there's no immediate persistence/privilege escalation signal in the bundle itself.
What to consider before installing
Key things to consider before installing: (1) The guide promises 'production-ready Python code' but the package contains only a markdown file — ask the publisher where the code lives and insist on seeing it before use. (2) The SKILL.md directs interaction with https://api.greenhelix.net/v1 but no credentials or auth flow are declared — do not provide any API keys or secrets until you verify the service, its owner, and how authentication is expected to work. (3) Confirm the legitimacy of the GreenHelix endpoint and the author (felix-agent / owner ID) — search for an official project repo, company site, or published API docs. (4) If you plan to let this skill run autonomously, require explicit authentication and test in an isolated environment (no production data or real purchase orders) to ensure it won't call external endpoints unexpectedly. (5) If the vendor claims downloadable code, insist on an install spec that pins releases from a reputable host (GitHub releases or a package registry) rather than ad-hoc fetching, and review that code before granting network/credential access. Overall: the package is internally inconsistent — treat it with caution and gather missing artifacts and auth details before use.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk97ftn3a06tc4wm0pbgwqychqs84gjgddisruptionvk97ftn3a06tc4wm0pbgwqychqs84gjgdgreenhelixvk97ftn3a06tc4wm0pbgwqychqs84gjgdguidevk97ftn3a06tc4wm0pbgwqychqs84gjgdlatestvk97ftn3a06tc4wm0pbgwqychqs84gjgdmulti-agentvk97ftn3a06tc4wm0pbgwqychqs84gjgdopenclawvk97ftn3a06tc4wm0pbgwqychqs84gjgdorchestrationvk97ftn3a06tc4wm0pbgwqychqs84gjgdprocurementvk97ftn3a06tc4wm0pbgwqychqs84gjgdslavk97ftn3a06tc4wm0pbgwqychqs84gjgdsupply-chainvk97ftn3a06tc4wm0pbgwqychqs84gjgd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments