ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nm Sanctum File Analysis

v1.0.0

Map file structure and organization for downstream review and refactoring workflows

0· 0·0 current·0 all-time
by@athola
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description and SKILL.md align: the skill maps file structure and lists concrete commands to inspect a codebase. However the registry metadata declares required config paths (night-market.sanctum:shared and night-market.imbue:proof-of-work) that are not referenced or explained in the task steps, which is unexpected for a purely local file-analysis helper.
!
Instruction Scope
SKILL.md instructs the agent to run filesystem commands (pwd, tree, find, wc, head, sort, etc.) and to scan directories and files. The skill metadata declared no required binaries, yet these utilities are assumed available; that mismatch is a coherence issue. The instructions don’t direct data externally, but if invoked from the wrong working directory they could enumerate large parts of the host filesystem — the operator should ensure the agent runs in the intended repository root or in a sandbox/container.
Install Mechanism
No install spec and no code files are present (instruction-only), so nothing is written to disk by an installer. This is lowest-risk from an install perspective.
Credentials
The skill declares no required environment variables or credentials, which fits a local analysis tool. But it does declare two required config paths (night-market.sanctum:shared and night-market.imbue:proof-of-work). Those config keys may be benign plugin metadata, but they could also reference agent-level settings or secrets — the skill does not explain why they are needed, so confirm what those config entries contain and why the skill requires them.
Persistence & Privilege
always is false and the skill has no install actions or code that would persist or modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but not by itself a red flag here.
What to consider before installing
This skill is mostly coherent for mapping a repository, but take three precautions before installing or running it: (1) Confirm what the declared config keys (night-market.sanctum:shared and night-market.imbue:proof-of-work) actually contain and why the skill needs them — do not supply secrets without understanding their purpose. (2) Ensure the shell utilities it assumes (tree, find, wc, head, sort, etc.) are available in the execution environment, or run the skill in a sandbox/container pointed at the correct repo root to avoid scanning unrelated host files. (3) If you are unsure about the Night Market config integration, prefer running the SKILL.md steps manually in a controlled environment so you can review outputs before giving the agent autonomous access.

Like a lobster shell, security has layers — review code before you run it.

latestvk971et15pby2h3rrffaaysseth84w3kk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis
Confignight-market.sanctum:shared, night-market.imbue:proof-of-work

Comments