Back to skill
Skillv1.0.2
ClawScan security
Openclaw Listing Bot · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 30, 2026, 1:54 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The SKILL.md describes an autonomous, always-running marketplace-publishing bot but the package declares no binaries, no credentials, and no install — the runtime expectations (scripts, publishing tools, shared workspace access, marketplace credentials) are inconsistent with what is requested and declared.
- Guidance
- This skill is internally inconsistent and could have high impact if run. Before installing, consider: 1) Do you trust this source? It will attempt to generate and publish new skills autonomously. 2) Require human review gates: block any automatic publish action until a person approves generated SKILL.md and scripts. 3) Provide minimal, scoped credentials only (per-platform API tokens with publish-limited scopes) or none at all; do not let it use global agent credentials. 4) Run in a strict sandbox (isolated workspace, filesystem quotas, no access to other agents' directories) and disable autonomous publishing initially. 5) Ask the author for the missing artifacts: the actual scripts, an install spec, and explicit list of required binaries and environment variables — if they cannot justify these, do not enable the skill. 6) Monitor behavior closely (file writes to /home/workspace, network calls to marketplace endpoints) and rate-limit/alert on mass publishing. If you want help drafting a safer deployment policy or sandbox profile for this skill, I can help.
Review Dimensions
- Purpose & Capability
- concernThe skill's description/purpose is to autonomously create, test, and publish SKILL.md packages to multiple marketplaces. However the registry metadata lists no required binaries, no required env vars, and no install steps. The SKILL.md itself expects Python scripts, git/zopub tooling, and platform posting capabilities — resources not declared. That mismatch means the skill either omits required privileged inputs (credentials, binaries) or misrepresents its true needs.
- Instruction Scope
- concernThe runtime instructions tell the agent to run multiple local scripts (self_learn.py, autolist_runner.py, deploy_to_markets.py, etc.), write SKILL.md files, maintain logs, and publish to external marketplaces. Those instructions require reading/writing shared directories (/home/workspace/Skills, /home/workspace/MoneyMachine) and interacting with external services, yet the skill does not declare or limit those operations. The template also gives broad freedom to generate new skill content and post it, which could lead to mass publishing or creation of low-quality or harmful skill artifacts without human review.
- Install Mechanism
- concernThere is no install spec and no code files bundled with the skill, yet the SKILL.md expects a full repository layout with scripts and data files. This is inconsistent: an instruction-only skill that requires a multi-file codebase and tools is missing its install/runtime artifacts. That increases the chance the agent will attempt to fetch or generate code at runtime (not specified), creating ambiguity about what will be executed and where it comes from.
- Credentials
- concernPublishing to external marketplaces (zo.pub, CryptoGigs, FreeLanceDAO, x402) normally requires credentials or API tokens, but the skill declares no required environment variables or primary credential. It also instructs use of 'zopub sync' and shared filesystem paths without defining or limiting credential use. This is disproportionate: either the skill will fail without hidden credentials, or it assumes access to global agent credentials/configs (a potential escalation and exfiltration vector).
- Persistence & Privilege
- concernThe skill instructs continuous 24/7 operation and to place artifacts in /home/workspace/Skills which is described as accessible to all Zo agents. Even though always:false, the instructions promote persistent state in a shared workspace and cross-agent exposure. This grants broad, lasting influence over other agents' runtime environment (new skills appearing in a shared Skills directory) and should be treated as higher privilege.