Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Longrunning Agent
v1.1.1Enables AI agents to work on long-running projects across multiple sessions. Use when starting complex projects, resuming work on existing projects, managing...
⭐ 0· 792·4 current·4 all-time
byYonghao Zhao@yonghaozhao722
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a project/workflow manager and the instructions (task.json, progress.txt, working on one task, git commits) are coherent with that purpose. However the manifest lists 'tools': ["gh"] and the README tells you to ensure the Claude Code CLI is installed — yet required binaries/env vars are empty. This mismatch between declared requirements and the instructions is unexpected.
Instruction Scope
Runtime instructions are focused on reading/writing local workflow files, optionally running an init.sh, running lint/build/tests, and making git commits — all reasonable for this purpose. The instructions also claim integration with an 'Agent Workflow Web App' (tasks sync with web database, session output logged) but provide no endpoints, credentials, or steps for that sync; that unspecified network behavior is worth flagging.
Install Mechanism
This is an instruction-only skill with no install script or downloaded code. The manifest's install destination is just a copy location. No archive downloads or third‑party packages are pulled by the skill itself.
Credentials
The skill does not request any environment variables or credentials, but the SKILL.md requires external tools (Claude Code CLI) and references syncing to a web database. If those integrations require API keys or tokens, they are not declared here — the omission reduces transparency and could lead to unexpected credential use by supporting tooling or templates.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It does not declare modifications to other skills or system-wide settings. Normal autonomous invocation is allowed (platform default).
What to consider before installing
This skill appears to implement a sensible long-running project workflow, but it has a few transparency issues you should check before installing: 1) Verify external dependencies: the SKILL.md asks you to have the Claude Code CLI configured and the manifest lists the GitHub CLI ('gh') — install and configure these yourself, and ensure you trust them. 2) Inspect any init.sh or template files before running them (they can execute arbitrary code). 3) Ask the author or inspect the referenced repository for details about the 'Agent Workflow Web App' integration — who hosts the web database, what endpoints are used, and what credentials (if any) are required. 4) Prefer skills that explicitly declare required binaries and environment variables; absence of those declarations here is the main reason for caution. If you can review the upstream repository or get confirmation about the web sync behavior and any required credentials, the risk assessment can be raised to higher confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk978yvh0j16wng9ydd36r1cr5x81fyzx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.