ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ops & Production Bundle: 5-Guide Collection for Running Agent Systems at Scale

v1.2.0

Ship and operate AI agent systems in production. Covers fleet management, production hardening, distributed observability, QA/chaos testing, and incident res...

0· 36·0 current·0 all-time
by@mirni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be a collection of textual guides for running agent systems; no binaries, installs, or runtime integrations are present. However, the SKILL.md frontmatter lists credentials: [GREENHELIX_API_KEY], which is not coherent with a static guide bundle and has no explained purpose.
Instruction Scope
The SKILL.md contains only metadata and a list of included guides. There are no runtime instructions that read environment variables, call external APIs, or run commands. The absence of any instructions that would use an API key reduces immediate runtime risk but also increases the oddness of declaring a credential.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which is the lowest-risk install mechanism.
!
Credentials
Requesting a GREENHELIX_API_KEY (declared in SKILL.md credentials) is disproportionate for a bundle of guides. The registry metadata shown earlier listed 'Required env vars: none', creating an internal inconsistency. An API key named like this implies access to an external service and should be justified by code or runtime steps — none are present.
Persistence & Privilege
The skill does not request always:true and is user-invocable with autonomous invocation enabled (platform default). There is no evidence it attempts to alter other skills or persist system-wide configuration.
What to consider before installing
This bundle appears to be only documentation, but its SKILL.md declares a GREENHELIX_API_KEY credential with no explanation. Before installing or providing secrets: 1) Ask the publisher why an API key is required and what the key grants access to. 2) Verify the publisher identity and check for a legitimate homepage/source. 3) Do not supply any API keys or secrets unless the skill clearly documents how and why they are used. 4) Prefer to keep secrets scoped and short-lived; if a key is requested, demand minimal scopes and auditability. 5) If you cannot get a clear justification, treat the credential request as a red flag and avoid installing or enabling the skill.

Like a lobster shell, security has layers — review code before you run it.

agentopsvk971280r6nzsw4z9g9ey4sj56n84sf14ai-agentvk971280r6nzsw4z9g9ey4sj56n84sf14bundlevk971280r6nzsw4z9g9ey4sj56n84sf14greenhelixvk971280r6nzsw4z9g9ey4sj56n84sf14guidevk971280r6nzsw4z9g9ey4sj56n84sf14incident-responsevk971280r6nzsw4z9g9ey4sj56n84sf14latestvk971280r6nzsw4z9g9ey4sj56n84sf14observabilityvk971280r6nzsw4z9g9ey4sj56n84sf14openclawvk971280r6nzsw4z9g9ey4sj56n84sf14productionvk971280r6nzsw4z9g9ey4sj56n84sf14testingvk971280r6nzsw4z9g9ey4sj56n84sf14

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments