Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Veadk Go Skills
v1.0.0根据用户的功能需求,完成与 VeADK-Go 相关的功能; 包括:直接根据需求生成 Agent;将Enio Agent转换为VeADK-Go Agent。
⭐ 0· 382·98 current·102 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the included reference docs for VeADK-Go agent creation and Enio→VeADK-Go conversion. The included common/*.md and converter/enio_rule.md files are appropriate reference material for that purpose. However, some instructions (see below) reference file names/paths and output formats that don't align with the provided Go-focused examples (e.g., saving output as agent_name/agent.py despite examples being Go), which is inconsistent.
Instruction Scope
SKILL.md tells the agent to consult reference docs included in the package (OK) but also instructs to call a script to save code artifacts and to write agent_name/agent.py — no such script exists and .py is inconsistent with the Go examples. SKILL.md references 'references/converter/enio_rules.md', while the manifest contains converter/enio_rule.md (path/name mismatch). These mismatches create ambiguity about what the agent should actually read/write. The instructions do not tell the agent to access unrelated system files or hidden endpoints, but the missing/incorrect paths and the nonexistent save script are problematic because they grant the skill broad discretion (the agent may attempt to create files in unexpected locations).
Install Mechanism
Instruction-only skill with no install spec, no binaries or external downloads — lowest risk from install mechanism.
Credentials
The skill declares no required environment variables, which is consistent for a pure-generator. However, multiple example snippets show use of ModelAPIKey / os.Getenv("OPENAI_API_KEY") and other backend configs (e.g., Tos bucket, ModelAPIBase). If the generated agents are intended to call external LLMs or services, those credentials will be required at runtime but are not declared by the skill. This omission is a proportionality/clarity issue (not necessarily malicious) and should be clarified.
Persistence & Privilege
Skill does not request persistent presence (always:false) and makes no modifications to other skills or system-wide agent settings. No elevated persistence requested.
What to consider before installing
This skill appears to be a documentation-driven generator for VeADK-Go agents, but there are several inconsistencies you should resolve before installing/using it: 1) Ask the author to confirm file paths and names (SKILL.md references 'references/...' while the package uses 'common/' and 'converter/enio_rule.md'); 2) Confirm the intended output language and filename (SKILL.md instructs saving to agent_name/agent.py but the included examples are Go — likely should be .go); 3) Request the missing 'save' script or explicit instructions for where/how generated code should be written; 4) Clarify runtime credential needs (examples reference OPENAI_API_KEY, ModelAPIKey, Tos bucket config) and require the skill to declare any env vars it expects to use so you can review them; 5) Treat generated code as untrusted: review it before running, run in a sandbox, and search generated artifacts for external endpoints or credentials being sent out. These issues indicate sloppy/incomplete engineering rather than clear malicious intent, but you should get clarifications and inspect generated code before giving the skill access to credentials or executing produced agents.Like a lobster shell, security has layers — review code before you run it.
latestvk9743g5f6p7kyebvbzmw6fzedh820rvb
License
MIT-0
Free to use, modify, and redistribute. No attribution required.