Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
The Grid Topology & Swarm Engine
v1.0.0Defines a 2x2m spatial grid for multi-agent control, enforcing legal command chains and enabling swarm intelligence to manage human-centric spaces efficiently.
⭐ 0· 75·0 current·0 all-time
byMilesXiang@spacesq
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The manifest, SKILL.md, and skill.py are consistent: the skill builds a house topology (2m×2m units), allocates agents, enforces an 'Avatar' authority model, and runs a local simulation. All major behaviors described in the README are implemented in code; there are no network calls or unrelated capabilities in the source.
Instruction Scope
The runtime instructions and code require an existing avatar identity file at ./s2_avatar_data/avatar_identity.json and will read/write ./s2_swarm_data/house_topology.json, but the skill metadata declared no required config paths or external prerequisites. SKILL.md mentions the Virtual Butler concept but does not formally declare this file dependency. The skill also prompts for interactive input and writes topology files into the current working directory (os.getcwd()), which could result in files being created in an unexpected location if the user runs it from an unintended folder.
Install Mechanism
No install spec, no downloads, and no external packages — it's an instruction-only skill with embedded Python code. That minimizes supply-chain risk; code runs locally and does not fetch or execute remote artifacts.
Credentials
The skill requests no environment variables or external credentials and makes no network connections. However, it implicitly depends on a local artifact (avatar_identity.json) produced by another component ('s2-digital-avatar') and writes topology data to disk. This local file dependency is not declared in requires.env or required config paths in the manifest.
Persistence & Privilege
The skill does persistent local writes only under the current working directory (creates s2_swarm_data/house_topology.json). It does not request always:true, does not modify other skills, and has no autonomous network behavior. The primary persistence is limited to its own data folder but ensure the working directory is appropriate before running.
What to consider before installing
This skill appears to implement the grid and swarm simulation it advertises, but take these precautions before installing or running it:
- Inspect the local avatar file it expects: the code reads ./s2_avatar_data/avatar_identity.json (and will abort if missing). Open that file first to confirm it contains no secrets you wouldn't want exposed. The manifest did not declare this config dependency.
- Run the skill from a safe directory (not your home root or system directories). It will create ./s2_swarm_data/house_topology.json in the current working directory.
- Confirm provenance: manifest.homepage is space2.world and repository/source is unknown. If you don't trust the publisher, avoid running the code.
- Because the skill relies on another component (s2-digital-avatar), verify what that other component produces and whether its avatar_identity.json contains private keys or tokens. This skill does not request network access, but a compromised avatar file could contain unexpected data.
- Do not run as an elevated user. If you want to be extra cautious, run it inside an isolated environment (container or VM) and inspect created files afterward.
If you want me to, I can: (a) show the exact fields expected in avatar_identity.json based on the code, (b) produce a safe example avatar file you can review, or (c) help search the code for any hidden network calls — though this file has no such calls.Like a lobster shell, security has layers — review code before you run it.
latestvk97209vesgxwbhacb72hgfpdx9838afv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.