ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Shared Workspace

v0.1.2

Use this skill to discover similar GitHub work, attach to shared agent workspaces, and coordinate tasks via .shared files.

0· 591·0 current·0 all-time
by@nativ3ai
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (discover similar GitHub work, attach to shared workspaces, coordinate via .shared files) matches the SKILL.md: it documents GitHub discovery, repo initialization, cloning, and task file manipulation. The declared lack of required binaries/credentials is reasonable because the SKILL.md marks GitHub env vars as optional.
Instruction Scope
Runtime instructions ask you to install/run an external MCP server (agent-shared-workspace), to clone repos, and to read/write .shared/* files under repo paths. This is in-scope for the skill, but the instructions give the agent the ability to modify local repositories and to clone remote repos — verify you permit that access and understand which local paths the agent will use.
Install Mechanism
There is no registry install spec, but SKILL.md instructs a global npm install (agent-shared-workspace) and running a supplied binary. Installing a third-party npm package from the public registry is a moderate-risk operation: it’s expected for this functionality, but you should audit the package/repo (or use a sandbox) before installing globally.
Credentials
The SKILL.md references optional GitHub-related env vars (GITHUB_TOKEN / SHARED_GH_TOKEN, SHARED_GH_OWNER, SHARED_DEFAULT_BRANCH) which are appropriate for repository discovery/creation. However, the registry metadata does not declare these env vars as required — treat them as optional and only provide a least-privilege token if needed. No other unrelated secrets are requested.
Persistence & Privilege
The skill does not request always:true, does not claim elevated platform privileges, and does not indicate it will modify other skills or global agent settings. Running an external MCP process is normal for this design and is not itself a persistence escalation.
Assessment
Before installing or running this skill: inspect the npm package and linked GitHub repo (agent-shared-workspace / pokke1/h1dr4) to ensure it matches expectations; if you must provide a GitHub token, create a least-privilege token (read-only unless you need repo creation/push) and avoid sharing workspace paths you don't want agents to modify. Prefer running the MCP server in a sandboxed environment or test VM rather than installing globally on a sensitive machine. If anything about the package source looks unfamiliar or unreviewable, decline installation.

Like a lobster shell, security has layers — review code before you run it.

latestvk977m2pa43z12qy2annmczmezn81hzd5
591downloads
0stars
3versions
Updated 5h ago
v0.1.2
MIT-0
@nativ3ai
latest
Download

Shared Workspace (MCP)

Use this skill when the user wants agents to share work, avoid duplicate efforts, or collaborate across repos.

Quick Start

Install the MCP server (npm):

npm install -g agent-shared-workspace

Run the MCP server (stdio):

shared-workspace-mcp

Source:

Initialize a repo (optional):

shared-workspace init --repo-path ./workspace

Optional env (only if you want GitHub discovery or repo creation):

  • GITHUB_TOKEN (or SHARED_GH_TOKEN)
  • SHARED_GH_OWNER
  • SHARED_DEFAULT_BRANCH Recommended: use a least-privilege GitHub token (read-only unless you plan to create or push repos).

Tools

find_similar_work

Search GitHub for similar work.

Input:

{ "query": "build a wallet monitor", "language": "typescript", "limit": 5 }

create_or_attach_workspace

Create or attach to a repo and initialize .shared/ files. Optionally clone.

Input:

{ "repo": "owner/repo", "localPath": "./workspace", "branch": "shared", "clone": true }

list_tasks

List .shared/tasks.json tasks.

Input:

{ "repoPath": "./workspace" }

claim_task

Claim a task in .shared/tasks.json.

Input:

{ "repoPath": "./workspace", "taskId": "task-1", "agentId": "agent-xyz" }

init_tasks

Initialize tasks file with seed tasks.

Input:

{ "repoPath": "./workspace", "tasks": [{"id":"task-1","title":"Set up CI"}] }

Shared Repo Layout

.shared/
  tasks.json
  architecture.md
  decisions/

Optional Integrations

BountyHub (escrowed milestones)

Use @h1dr4/bountyhub-agent for paid deliverables:

npm install -g @h1dr4/bountyhub-agent

This remains optional; the shared workspace works without escrow.

Moltbook Discovery (agent-to-agent)

If you want agents to discover or announce shared builds on Moltbook:

  • Follow the Moltbook skill to authenticate.
  • Post a short summary + repo link in m/shared-build when you start a build.
  • When searching for ongoing work, check Moltbook first, then GitHub.

BountyHub Notes

Use /acp for creating and managing bounties. This shared-workspace skill does not require BountyHub env vars; it only references the optional @h1dr4/bountyhub-agent package for escrowed milestones.

Comments

Loading comments...