ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Where are you from

v1.0.1

An enterprise-grade asset manager that tracks, manages, and automatically syncs OpenClaw skills capabilities and sources to your GitHub.

1· 97·0 current·0 all-time
by@downwind7clawd-ctrl

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for downwind7clawd-ctrl/openclaw-inventory-manager.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Where are you from" (downwind7clawd-ctrl/openclaw-inventory-manager) from ClawHub.
Skill page: https://clawhub.ai/downwind7clawd-ctrl/openclaw-inventory-manager
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install openclaw-inventory-manager

ClawHub CLI

Package manager switcher

npx clawhub@latest install openclaw-inventory-manager
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to scan installed skills and optionally push manifests to your GitHub — and the code implements scanning, manifest generation, git commit, and git push. However the package/registry metadata lists no required binaries or env vars while both SKILL.md and the code clearly require Node.js and Git. That mismatch (no declared required binaries despite Node/Git being prerequisites) is an incoherence the user should be aware of.
Instruction Scope
Runtime instructions and code limit scanning to configured roots (default: ~/.openclaw/skills and ./skills) and explicitly mask credential-like patterns before writing manifests, which is consistent with the stated purpose. Two noteworthy points: (1) the sync workflow can perform network operations (git push) to a configured remote — SKILL.md promises a confirmation prompt but the agent-run automation model could attempt to invoke this workflow; (2) the sync --push path uses an interactive readline prompt for confirmation, which may block or behave unexpectedly if invoked non-interactively by an agent.
Install Mechanism
There is no install spec (the skill is distributed as source files and intended to be run with Node.js). No external download URLs or package installs are performed by the skill itself, so disk writes are limited to config and manifest files it explicitly creates. This is low install-surface risk, but remember it writes manifests and .gitignore and initializes git repos in the workspace.
Credentials
The skill requests no environment variables or credentials in metadata, and the implementation relies on the existing local git auth (SSH keys or credential helpers) rather than explicitly asking for a GITHUB_TOKEN. This is reasonable but should be explicit: if you want pushes to succeed you must provide git-authentication out-of-band. The code reads user home paths (process.env.HOME / USERPROFILE) and a skills.lock file if present — those are relevant to detecting skill origins. No other unrelated credentials are requested.
Persistence & Privilege
The skill is not marked always:true and does not request permanent elevated privileges. It can be invoked autonomously by default (disable-model-invocation is false), which is platform-default and expected for agent skills, but combining autonomous invocation with filesystem scanning and optional pushes increases risk surface — consider whether you want the agent to run sync/push workflows without explicit, per-action approval.
What to consider before installing
What to check before installing / running this skill: - Required tools: The code and README require Node.js (v14+) and Git, but the registry metadata lists no required binaries — install Node and Git first and be prepared to provide Git authentication (SSH key, credential helper, or token) for pushes to work. - Review searchRoots: The default scan roots include ~/.openclaw/skills and ./skills. Edit ~/.openclaw/inventory.json before scanning to avoid exposing folders you don't want to be cataloged or pushed. - Inspect the generated manifest before pushing: The tool masks common key patterns, but automatic masking is not perfect. Run inventory sync locally, open SKILLS_MANIFEST.md/SKILLS_MANIFEST.json, and verify there are no secrets or sensitive contents before running sync --push. - Understand network behavior despite SECURITY.md: The included SECURITY.md incorrectly states "no network requests" — git push will contact remote repositories if you instruct it to push. If you do not want any network activity, avoid running sync --push or do not configure a remote. - Be cautious with autonomous invocation: Because the agent can invoke this skill, an automated agent could run scanning and attempt to push manifests. If you prefer manual control, disable autonomous invocation for this skill or ensure prompts are required and handled by a human. - Sandbox first: Run the tool in a safe test folder (or with a temporary git repo without a remote) to observe its behavior: bootstrap -> status -> sync (without --push) to confirm manifest contents and masking behavior. If you want to proceed, consider setting autoPush:false (default) and explicitly reviewing manifests before any push. If anything in the manifest looks surprising, do not push and investigate the source folders and SKILL.md files the tool discovered.
utils/gitManager.js:10
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

inventoryvk975rs5mxcceby17fwh58wpdms83zk48latestvk975rs5mxcceby17fwh58wpdms83zk48managementvk975rs5mxcceby17fwh58wpdms83zk48openclawvk975rs5mxcceby17fwh58wpdms83zk48skillsvk975rs5mxcceby17fwh58wpdms83zk48
97downloads
1stars
2versions
Updated 4w ago
v1.0.1
MIT-0
@downwind7clawd-ctrl
inventorylatestmanagementopenclawskills
Download

Where are you from (OpenClaw Skill Inventory Manager)

This skill comprehensively audits OpenClaw skills installed from various sources (ClawHub, GitHub, npm, local, etc.). It generates human- and machine-readable manifests (SKILLS_MANIFEST.json and SKILLS_MANIFEST.md), and securely backs them up to your personal GitHub repository.

[!WARNING] Prerequisite: Node.js Required This skill manager relies on JavaScript (inventory.js) to perform file scanning and Git integration. You must have Node.js (v14 or higher recommended) installed on your system for it to function correctly.

Core Features

  • Targeted Scanning: Optimizes performance by only scanning predefined paths configured in ~/.openclaw/inventory.json.
  • Source Detection: Accurately tracks the origin and installation method of a skill by analyzing .git, package.json, and clawhub.json.
  • Security Scrubbing: Automatically detects and masks over 10 API Key patterns (e.g., sk-, ghp_, hf_) to prevent sensitive data leaks in the manifest.
  • Privacy Layer: If a SKILL.private.md is found, the skill is classified as a "Private Skill (Content Masked)" in the manifest, and its details are fully hidden.
  • Git Syncing: Provides a single sync --push command to handle everything from detecting inventory changes to committing and pushing to GitHub.

Detailed Command Guide

0. Guided Setup (inventory bootstrap) [RECOMMENDED]

The easiest way for first-time users to set up everything (Config + Git + Initial Scan).

node .agents/skills/openclaw-inventory-manager/inventory.js bootstrap

1. Initialization (inventory init)

Initializes inventory configurations and sets up the root Git repository for tracking skills.

# Initialize Git tracking in the current directory and generate config
node .agents/skills/openclaw-inventory-manager/inventory.js init 

# Initialize and link directly to a remote GitHub repository
node .agents/skills/openclaw-inventory-manager/inventory.js init https://github.com/yourname/my-skills-inventory.git

2. Status Check (inventory status)

Scans for modifications since the last inventory sync.

node .agents/skills/openclaw-inventory-manager/inventory.js status

3. Sync & Commit (inventory sync)

Updates the manifest file and commits changes to the local Git repository. Add --push to upload to the remote.

# Only update manifest and perform local commit
node .agents/skills/openclaw-inventory-manager/inventory.js sync

# Upload changes to the remote GitHub repository
node .agents/skills/openclaw-inventory-manager/inventory.js sync --push

4. Search Skill List (inventory list / search)

Outputs a quick terminal table of all installed skills.

node .agents/skills/openclaw-inventory-manager/inventory.js list

Configuration Structure

The configuration is stored in: ~/.openclaw/inventory.json (Local user home directory)

{
  "searchRoots": ["~/.openclaw/skills", "./skills"], // Paths to scan
  "maxDepth": 5,                                     // Recursion limit
  "excludedDirs": ["node_modules", ".git", "dist"],  // Folders to ignore
  "maskPatterns": ["sk-", "ghp_", "hf_", "AIza"],    // Secret masking patterns
  "autoPush": false,                                 // Enable automatic push
  "manifestPath": "~/.openclaw/SKILLS_MANIFEST.json"           // Output location
}

Instruction for Agent (Natural Language Triggers)

When the user sends a message matching one of the following trigger phrases, run the corresponding workflow. Matching should be intent-based — exact wording is not required.

🔍 Intent: Audit / Inspect Skills

Trigger phrases (English)

  • "Where are you from?"
  • "Where did my skills come from?"
  • "Show me my skill inventory"
  • "List all my installed skills"
  • "What skills do I have?"
  • "Audit my skills"
  • "Analyze my agent environment"
  • "Check my skill history"
  • "Show my skill manifest"
  • "What's installed?"

Trigger phrases (Korean)

  • "내 스킬 내역 확인해줘"
  • "스킬 목록 보여줘"
  • "어떤 스킬 설치되어 있어?"
  • "스킬 히스토리 알려줘"

Workflow:

  1. Check if ~/.openclaw/inventory.json exists.
  2. If NOT exists → Inform the user that the skill has not been initialized yet and suggest: 
    node inventory.js bootstrap
  3. If EXISTS → Run inventory status and summarize the output (number of skills found, any changes since last sync).
  4. If changes are detected, offer to run inventory sync.

☁️ Intent: Sync / Commit / Push to GitHub

Trigger phrases (English)

  • "Sync my skills to GitHub"
  • "Update my skill manifest"
  • "Commit my inventory"
  • "Push my skill list"
  • "Save skill inventory to GitHub"
  • "Back up my skills"

Trigger phrases (Korean)

  • "스킬 동기화해줘"
  • "깃허브에 올려줘"
  • "인벤토리 업데이트해줘"
  • "커밋해줘"

Workflow:

  1. Run inventory sync --push.
  2. Report the commit status (success, no changes, or error) to the user.
  3. If push fails, suggest checking GitHub authentication (SSH or token).

🚀 Intent: First-Time Setup / Bootstrap

Trigger phrases (English)

  • "Set up skill inventory"
  • "Initialize skill tracking"
  • "Get started with skill manager"
  • "Configure the inventory"
  • "I just installed this skill, what do I do?"

Trigger phrases (Korean)

  • "스킬 매니저 설정해줘"
  • "처음 시작하는 방법 알려줘"
  • "초기화해줘"

Workflow:

  1. Check if ~/.openclaw/inventory.json already exists.
  2. If NOT exists → Run inventory bootstrap and guide through each step.
  3. If EXISTS → Inform that a config already exists, and ask if the user wants to re-initialize or just run status.

Security Note (Reminder)

  • Always verify your GitHub authentication before using sync --push.
  • Use .gitignore to prevent sensitive credential files from being uploaded.
  • Utilize SKILL.private.md for internal instructions that should never be public.

Comments

Loading comments...