ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Ops Deck Lite

v1.0.0

Lightweight agent productivity toolkit: semantic code search with embeddings and a categorized prompt library. Two services, ~200MB RAM, zero cloud dependenc...

0· 67·0 current·0 all-time
bySolomon Neas@solomonneas
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description match the runtime instructions: a local FastAPI code-search service and a Node prompt-library. However the registry metadata lists no required binaries/env while SKILL.md clearly requires Node.js, Python, PM2, SQLite and Ollama. That metadata omission is inconsistent (not necessarily malicious) and worth noting before install.
!
Instruction Scope
SKILL.md instructs walking your project directories, chunking every code file, creating summaries, and sending chunks to an embeddings service (Ollama local API). This is expected for a code indexer, but it means the skill will read arbitrary files (potentially including secrets) and store them in a local SQLite DB and summary store. It also modifies crontab for nightly re-indexing. Verify which filesystem paths will be indexed and that sensitive files are excluded before running.
Install Mechanism
There is no formal install spec (instruction-only), so nothing is automatically downloaded by the registry, which reduces risk. The instructions do require running pip/npm and 'ollama pull' to fetch a ~4GB embedding model — that will download data from Ollama's model source. Pulling large models from the network and installing system services (pm2) are normal for this tool but are actions you should validate and run deliberately.
Credentials
The skill does not request any environment variables or external credentials in metadata. The runtime needs (Ollama, local endpoints, DB files) are proportional to a local-only semantic search tool. Note: index contents may include credentials or secrets from your codebase unless you explicitly exclude them.
!
Persistence & Privilege
The instructions instruct installing PM2-managed services and adding a cron job for nightly re-indexing, which grants persistent background presence and automatic activity on the host. The skill metadata does not use always:true, but the intended setup will persist across reboots and modify user crontab/pm2 state — review and approve these changes manually.
Assessment
This skill appears consistent with a local code-search + prompt library, but it will read your filesystem, start persistent services (PM2), and pull a large Ollama model. Before installing: (1) inspect or implement an allowlist/exclude list so sensitive folders (keys, creds, node_modules if desired) are not indexed; (2) confirm Ollama runs locally and you trust the model source before running 'ollama pull'; (3) run the servers as an unprivileged user (do not run as root); (4) review any generated server.py/server.js and the PM2 ecosystem file before starting; (5) be aware pm2 save and the cron entry will persist — remove them if you stop using the tool; (6) consider where the SQLite index will be stored and who can read it. If you want higher assurance, request the actual server source files from the author (they are not included) and perform a code review before starting the services.

Like a lobster shell, security has layers — review code before you run it.

latestvk975keysr4058ezw428nc9p1j583891w

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments