ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Heleni Best Practices

v1.0.2

Daily check of Heleni's PA Skills website for new best practices, lessons learned, and skill updates. Use when: running daily sync, owner asks 'any updates f...

0· 81·1 current·1 all-time
byNetanel Abergel@netanel-abergel

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for netanel-abergel/heleni-best-practices.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Heleni Best Practices" (netanel-abergel/heleni-best-practices) from ClawHub.
Skill page: https://clawhub.ai/netanel-abergel/heleni-best-practices
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install heleni-best-practices

ClawHub CLI

Package manager switcher

npx clawhub@latest install heleni-best-practices
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the runtime steps (fetch learn.html and skills list, diff, extract lessons). However the SKILL.md reads/writes $WORKSPACE/data and .learnings paths and uses /tmp — these config paths are not declared in the skill metadata. The doc also references a 'web_fetch' tool in Step 3 in addition to curl, which assumes the agent has that tool available.
Instruction Scope
Instructions are explicit about fetching pages, comparing state, extracting lessons and reporting. They write files to /tmp and the agent workspace and may fetch SKILL.md files from the public GitHub repo. There is an ambiguity: the top-level 'What It Does' says it 'applies relevant lessons to this agent's own SOUL.md / AGENTS.md / HOT.md', but a later table and Step 4 say the agent must 'Always ask before' modifying SOUL.md or HOT.md. That conflict should be resolved before trusting autonomous runs.
Install Mechanism
Instruction-only skill with no install spec or code files — lowest install risk. It relies on standard CLI tools (curl, python3) and agent tooling; nothing is downloaded or executed from arbitrary URLs by an installer.
Credentials
The skill requests no credentials or env vars (appropriate for a public-site sync). It implicitly assumes write access to $WORKSPACE and creation of .learnings and a state file. It may call the GitHub API anonymously (rate-limited); the SKILL.md does not declare an optional GITHUB_TOKEN if the operator wants authenticated requests.
Persistence & Privilege
always:false (no forced presence). The skill schedules a daily cron-like job in its spec but does not claim ability to modify other skills or system-wide agent settings. It does write its own state and logs in the agent workspace, which is consistent with its purpose.
What to consider before installing
This skill appears to do what it says — check a public Heleni page and a public GitHub skills folder and log differences — but there are a few things to confirm before installing: - Confirm you are comfortable with the skill reading and writing files under the agent workspace ($WORKSPACE/data and .learnings) and creating a state file; these paths are not declared in the metadata. - Resolve the ambiguity about automatic changes: the doc both says it will 'apply' lessons and also says to 'Always ask before' modifying SOUL.md/HOT.md. If you want human approval for edits, ensure the skill is configured to prompt the owner rather than auto-apply. - The skill uses curl/python3 and refers to a 'web_fetch' tool; ensure those tools exist in your agent environment. - If you expect heavy GitHub usage, consider providing a GITHUB_TOKEN (not currently declared) to avoid rate limits; do not provide tokens unless you trust the behavior. - Because the skill can run daily (cron entry provided) and can be invoked autonomously, verify the delivery/notification settings (it claims 'silent' by default) and whether you want automatic scheduling enabled. If these points are acceptable or clarified (especially the file-write behavior and the ask-before-modify policy), the skill is coherent. If you need stricter guarantees, request the SKILL.md be updated to declare workspace/config paths and to remove the ambiguous wording about automatic edits.

Like a lobster shell, security has layers — review code before you run it.

latestvk974y9an1csazqdj6hygk4wqt5842wq3
81downloads
0stars
3versions
Updated 3w ago
v1.0.2
MIT-0
Netanel Abergel@netanel-abergel
latest
Download

Heleni Best Practices Sync

Heleni is an AI PA running on OpenClaw. She publishes real lessons from production at:

Minimum Model

Small model for fetching and diffing. Medium model for applying lessons.

What It Does

Once a day:

  1. Fetches the learn.html page and skill list from pa-skills
  2. Compares against last known state (saved locally)
  3. If new content detected → extracts actionable lessons
  4. Applies relevant lessons to this agent's own SOUL.md / AGENTS.md / HOT.md
  5. Reports changes to owner

Step-by-Step Process

Step 1 — Fetch current state

LEARN_URL="https://netanel-abergel.github.io/pa-skills/learn.html"
SKILLS_URL="https://github.com/netanel-abergel/pa-skills/tree/main/skills"
RAW_BASE="https://raw.githubusercontent.com/netanel-abergel/pa-skills/main/skills"

# Fetch learn page
curl -s "$LEARN_URL" -o /tmp/heleni-learn-current.html

# Get list of active skills from GitHub
curl -s "https://api.github.com/repos/netanel-abergel/pa-skills/contents/skills" \
  | python3 -c "import sys,json; [print(i['name']) for i in json.load(sys.stdin) if i['type']=='dir']" \
  > /tmp/heleni-skills-current.txt

Step 2 — Compare against last state

LAST_STATE="$WORKSPACE/data/heleni-best-practices-state.json"

# If no state file → first run, save and exit
if [ ! -f "$LAST_STATE" ]; then
  python3 -c "
import json, hashlib
with open('/tmp/heleni-learn-current.html') as f: content = f.read()
with open('/tmp/heleni-skills-current.txt') as f: skills = f.read().strip().split()
state = {'learn_hash': hashlib.sha256(content.encode()).hexdigest(), 'skills': skills}
with open('$LAST_STATE', 'w') as f: json.dump(state, f)
print('FIRST_RUN')
"
  exit 0
fi

# Compare hashes
python3 << 'EOF'
import json, hashlib

with open('/tmp/heleni-learn-current.html') as f: current_content = f.read()
with open('/tmp/heleni-skills-current.txt') as f: current_skills = f.read().strip().split('\n')

current_hash = hashlib.sha256(current_content.encode()).hexdigest()

with open('$LAST_STATE') as f: last = json.load(f)

changed = current_hash != last.get('learn_hash', '')
new_skills = [s for s in current_skills if s not in last.get('skills', [])]
removed_skills = [s for s in last.get('skills', []) if s not in current_skills]

print(f"CHANGED={changed}")
print(f"NEW_SKILLS={new_skills}")
print(f"REMOVED_SKILLS={removed_skills}")
EOF

Step 3 — Extract lessons (if changed)

Use web_fetch tool to read https://netanel-abergel.github.io/pa-skills/learn.html.

Extract:

  • Any new principle cards
  • Any changes to the HOT.md section
  • Any new "what belongs in a skill / what doesn't" rules
  • New skills in the library that don't exist locally

Step 4 — Apply relevant lessons

For each lesson found, evaluate:

Lesson typeAction
HOT.md ruleCheck if this agent breaks the same pattern → add to own HOT.md if yes
SOUL.md principleCheck if already covered → add if missing
Skill design ruleUpdate local skill-master description if relevant
New skill availableFetch SKILL.md from GitHub, review, recommend to owner

Always ask before:

  • Modifying SOUL.md
  • Adding to HOT.md (owner should approve)
  • Installing a new skill

Can apply without asking:

  • Logging the lesson to .learnings/heleni-sync/YYYY-MM-DD.md
  • Updating skill descriptions in skill-master

Step 5 — Save new state + report

# Update state file
python3 -c "
import json, hashlib
with open('/tmp/heleni-learn-current.html') as f: content = f.read()
with open('/tmp/heleni-skills-current.txt') as f: skills = f.read().strip().split()
state = {'learn_hash': hashlib.sha256(content.encode()).hexdigest(), 'skills': skills, 'last_checked': '$(date -u +%Y-%m-%dT%H:%M:%SZ)'}
with open('$LAST_STATE', 'w') as f: json.dump(state, f)
"

Report format:

📡 Heleni Sync — YYYY-MM-DD

✅ No changes / ⚡ [N] updates found

New lessons:
• [Lesson] — [Applied / Recommended to owner]

New skills available:
• [skill-name] — [description] → [Installed / Recommended]

Next check: tomorrow

Cron Configuration

Daily at 07:00 UTC (before morning briefing):

{
  "id": "heleni-best-practices-sync",
  "schedule": "0 7 * * *",
  "timezone": "UTC",
  "task": "Run heleni-best-practices skill: fetch https://netanel-abergel.github.io/pa-skills/learn.html, compare to last known state at data/heleni-best-practices-state.json, extract new lessons, log to .learnings/heleni-sync/YYYY-MM-DD.md. If significant changes found (new principles, new skills), notify owner with a 2-line summary.",
  "delivery": {
    "mode": "silent"
  }
}

Silent by default. Notifies owner only if something actionable was found.

On-Demand Usage

Trigger phrases:

  • "any updates from Heleni?"
  • "check heleni best practices"
  • "sync skills"
  • "what's new in pa-skills?"

Key Lessons (as of 2026-04-02)

Pre-loaded so first run has context:

  1. Skill count sweet spot: 28–32. Above 40 = routing breaks.
  2. Universal rules → SOUL.md. Skills are only triggered on demand.
  3. One domain = one skill. Users think in domains, not tools.
  4. Diagnostics = appendix. Never a standalone skill.
  5. HOT.md — max 20 lines, only rules broken 2+ times in practice.
  6. DEPRECATED.md — always write a tombstone when merging skills.
  7. Each skill needs one clear "Use when:" sentence.

Source: https://netanel-abergel.github.io/pa-skills/learn.html

Comments

Loading comments...