Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Self Audit
v1.0.0Track, analyze, and score your tool calls to identify unnecessary usage, detect patterns, and get recommendations for efficiency improvements.
⭐ 0· 108·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The SKILL.md describes a 'self-audit' CLI (commands like `self-audit log`, `self-audit analyze`) and even lists a `self-audit` script and an `audit/` directory, but the skill bundle includes only SKILL.md and config.json (no code or binaries) and declares no required binaries. That mismatch means the skill as delivered cannot perform the functionality it advertises without additional, unspecified artifacts.
Instruction Scope
The instructions themselves are narrowly focused (logging tool calls, analyzing logs, suggesting caching). They do not ask the agent to read unrelated system files or environment variables. However, they are vague about integration: there is no explanation for how the tool intercepts or collects tool-call telemetry automatically (the examples show manual CLI invocation). This lack of integration detail reduces usefulness and raises questions about how tracking is intended to be implemented.
Install Mechanism
There is no install spec (instruction-only). That is low-risk in general, but here it's notable because config.json lists entry: 'self-audit' and runtime: 'shell' while no executable is provided. The package appears incomplete — installing nothing while promising a CLI.
Credentials
The skill does not request environment variables, credentials, or access to config paths. Nothing in the provided files asks for unrelated secrets or wide system access.
Persistence & Privilege
always is false and the skill does not request persistent or elevated platform privileges. It does mention creating an `audit/` directory on first run (expected for local logs), which is proportional to its described purpose.
What to consider before installing
This package appears to be an instruction-only spec for a CLI tool but does not include the CLI or an install method. Before using or trusting it: 1) Ask the publisher for the actual `self-audit` binary/source and verify its provenance (repository, releases). 2) Confirm how it is supposed to collect tool-call telemetry (manual logging vs automatic hooking into the agent/runtime). 3) If you obtain the binary, review its source or run it in a sandbox to ensure it only writes local logs and does not transmit data externally. 4) Do not provide credentials or add it to automated agent workflows until you can verify the missing artifacts and confirm where audit logs are stored and whether any network endpoints are contacted.Like a lobster shell, security has layers — review code before you run it.
auditvk970fje71g2zyf9kp7gmmayyvn832ghqefficiencyvk970fje71g2zyf9kp7gmmayyvn832ghqintrospectionvk970fje71g2zyf9kp7gmmayyvn832ghqlatestvk970fje71g2zyf9kp7gmmayyvn832ghqselfvk970fje71g2zyf9kp7gmmayyvn832ghqtoolvk970fje71g2zyf9kp7gmmayyvn832ghq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.