ClawHub

skill sonar

v1.2.1

Lifecycle guard. Route to preflight or runtime.

0· 95·0 current·0 all-time
by@stavc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (lifecycle guard, route to preflight/runtime) align with the included artifacts: preflight and runtime guard documents and stage checklists. There are no unrelated requirements (no env vars, no binaries, no installers) that would contradict the stated purpose.
Instruction Scope
All runtime instructions are guard/advisory rules (triage before tool calls, stage guards, preflight artifact review). The preflight explicitly limits file reads to the candidate skill's own directory and prohibits traversing system paths. The instructions do not ask the agent to read or exfiltrate data outside the skill package, nor to contact external endpoints.
Install Mechanism
This is an instruction-only skill with no install spec and no code to execute. Nothing is written to disk by an installer; risk from supply-chain installation steps is minimal.
Credentials
The skill declares no required environment variables, credentials, or config paths. The preflight guard documents how to treat references to external paths as findings but does not read them—this is proportionate to auditing a skill package.
Persistence & Privilege
always:false and no install means the skill does not demand permanent presence. However, the skill is allowed to be invoked autonomously (disable-model-invocation:false). Because it's a guard, autonomous invocation could affect agent behavior (block actions, require confirmations) across sessions; this is expected for a policy guard but is operationally impactful rather than a security incoherence.
Assessment
This skill appears internally consistent and low-risk: it contains guard policies and checklists and does not request credentials, install code, or reach out to external URLs. Before enabling: (1) confirm you trust the skill author (owner ID is present but no homepage or repo was provided); (2) review the included files (they are present in the package) to satisfy yourself the audit rules are acceptable; (3) be aware the guard will read all files inside the skill package during preflight and will require triage/confirmations at runtime — if you prefer not to have autonomous interruptions, consider restricting autonomous invocation or making the skill user-invocable only; (4) test in a safe environment first if you plan to let it run automatically. Overall, nothing in the artifacts contradicts the stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk975btpvp808ywzdew4vpbn5ex83xdgt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments