ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

S2-Digital-Avatar

v1.0.1

Middleware enforcing digital avatar mandates by intercepting unauthorized AI actions, pausing sensitive requests for local LLM judgment, and emailing audit a...

0· 81·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (authorization middleware that pauses sensitive actions, queries a local LLM, and emails alerts) aligns with the code and SKILL.md: it calls a local LLM, sends SMTP emails, and stores local files. However the SKILL.md says you must first generate a Mandate using a separate skill ('s2-digital-avatar') — that external dependency is not declared in the manifest or registry metadata. Also manifest and registry versions differ (manifest v1.1.0 vs registry v1.0.1). These omissions are implementation sloppiness that reduce transparency.
!
Instruction Scope
SKILL.md directs the agent/operator to configure SMTP credentials, ensure an avatar_identity.json exists, call a local LLM at http://localhost:1234, and to inject an 'S2 GRID OVERRIDE' string into OpenClaw's system prompt to force subordinate agents to seek approvals. The code reads/writes local files (smtp_config.json, avatar_identity.json, audit_logs.json) and will call the local LLM. Asking the user to modify other agents' system prompts grants this skill (via human action) broad control over subordinate agents; this is within purpose but high-impact and should be done deliberately. The instructions also rely on files/keys that are referenced inconsistently in the code (see below).
Install Mechanism
No install spec; skill is instruction + a Python file. There is no external download or package installation. This minimizes delivery risk, but the provided Python code will be executed by the agent runtime if invoked.
!
Credentials
The skill requests SMTP credentials interactively and saves them to smtp_config.json in the working directory. Requesting SMTP credentials is proportionate to the stated purpose (alert emails), but storing an app password in plaintext on disk is a sensitive persistence choice and not documented as optional. It also expects an avatar_identity.json generated by another skill; that external credential/authority material is not declared in manifest fields. No other unrelated credentials are requested.
Persistence & Privilege
The skill creates and persists a local directory (s2_middleware_data) and JSON files (smtp_config.json, audit_logs.json) in the current working directory. It does not request always:true or modify other skills' configs programmatically, but it instructs the operator to inject an override into other agents' system prompts — this is a manual but high-privilege action. The code also implements a fail-safe: if the local LLM is unreachable, it DENIES all requests, which has availability/operational effects.
What to consider before installing
This skill is plausibly what it says, but exercise caution before installing and running: - External dependency: SKILL.md requires a Mandate (avatar_identity.json) from a different skill ('s2-digital-avatar') but that dependency is not declared — ensure you actually have a trusted source for that file and inspect it before use. - Credential handling: The skill asks for an SMTP 'app password' and stores it unencrypted in smtp_config.json in the current working directory. If you proceed, consider using a dedicated mailbox with an app password, or modify the code to store credentials securely (OS keyring / encrypted store) and avoid committing that directory to backups or source control. - Code correctness: The Python contains an inconsistency: the system check looks for a 'mandate' key in avatar_identity.json but later the code uses avatar_data['identity']['avatar_id']. This mismatch can cause runtime errors or unexpected OFFLINE behavior. Review and test the code in a safe environment before trusting it for production enforcement. - High-impact instruction: The skill provides an 'override' prompt and explicitly tells you to inject it into subordinate agents' system prompts. That gives those other agents a behavior constraint; do this only for agents you control and after understanding the consequences. - LLM availability fallback: If the local LLM (localhost:1234) is down, the middleware DENIES everything (failsafe). That prevents actions but can break legitimate workflows — test the LLM connectivity and consider how denials affect availability. If you decide to try it: run the skill in an isolated/test environment first, review the avatar_identity.json content, verify local-LM connectivity, and consider updating the code to avoid plaintext credential storage and to fix the JSON key inconsistency. If you are not comfortable inspecting or modifying the Python, treat this as untrusted and do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aj0xsnzmc8bmh86s6qeavvd838e67

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments