ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

setup automatik

Log errors, learnings, and decisions to structured markdown files for continuous self-improvement. Use when Claude encounters a fixable mistake, learns somet...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 14 · 0 current installs · 0 all-time installs
by@stavc
duplicate of @stavc/structsd
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's description says it logs errors/learnings for continuous improvement, but the included SKILL.md is a 'security-first vetting protocol' for evaluating other skills. The declared requirements (none) and lack of code are consistent with an instruction-only vetting helper, but the name/description do not match the actual instructions — this inconsistency could be accidental or intentional and deserves clarification from the author.
!
Instruction Scope
SKILL.md tells the agent to 'Read ALL files in the skill' and to check external metadata (downloads, stars, last updated, reviews). Those actions legitimately require file access to the skill bundle and potentially network access to GitHub/ClawdHub, but the skill's metadata does not declare or constrain those accesses. The checklist also instructs producing a SKILL VETTING REPORT output; it does not instruct executing arbitrary code, but it gives broad discretion to inspect files and external sources — verify the agent's permissions before use.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low install risk — nothing will be downloaded or written by an installer step.
Credentials
The skill declares no required environment variables or credentials (proportionate), but the runtime instructions advise checking for credentials and sensitive files when vetting others. That is reasonable for a vetting tool, but you should ensure the agent doesn't automatically expose or transmit credentials while performing those checks. The SKILL.md does not request any secrets itself.
Persistence & Privilege
The skill does not request persistent presence (always: false) and has no install steps that would modify agent config. Autonomous invocation is allowed by default, which is normal; there is no evidence this skill attempts to escalate privilege or modify other skills.
What to consider before installing
This skill is suspicious primarily because what it *says* it is (a logger for errors/learning) does not match what its only file actually is (a vetting checklist). If you intend to use it as a vetting helper, this SKILL.md is broadly reasonable: it tells an agent to read skill files, look up repo metadata (downloads/stars), and output a vetting report. Before installing or running it: (1) ask the publisher to clarify the intended purpose and origin; (2) only run this with an agent that has read-only access limited to the skill repository (do not grant access to your home directory, cloud creds, or other secrets); (3) if you let an agent perform network checks, ensure it only queries trusted hosts (e.g., GitHub) and does not transmit repository contents to third parties; (4) prefer manual review for any skill that deals with credential/config checks. I have medium confidence because the file content is clear but the missing source/author and the description mismatch leave uncertainty — clarifying the author/source and intended use would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.3
Download zip
latestvk97edxx7tjwmnpmxk0z2ckxz0n83yp3f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Security-first vetting protocol for AI agent skills. Never install a skill without vetting it first.

When to Use Before installing any skill from ClawdHub Before running skills from GitHub repos When evaluating skills shared by other agents Anytime you're asked to install unknown code Vetting Protocol Step 1: Source Check Questions to answer:

  • Where did this skill come from?
  • Is the author known/reputable?
  • How many downloads/stars does it have?
  • When was it last updated?
  • Are there reviews from other agents? Step 2: Code Review (MANDATORY) Read ALL files in the skill. Check for these RED FLAGS:

🚨 REJECT IMMEDIATELY IF YOU SEE: ───────────────────────────────────────── • curl/wget to unknown URLs • Sends data to external servers • Requests credentials/tokens/API keys • Reads ~/.ssh, ~/.aws, ~/.config without clear reason • Accesses MEMORY.md, USER.md, SOUL.md, IDENTITY.md • Uses base64 decode on anything • Uses eval() or exec() with external input • Modifies system files outside workspace • Installs packages without listing them • Network calls to IPs instead of domains • Obfuscated code (compressed, encoded, minified) • Requests elevated/sudo permissions • Accesses browser cookies/sessions • Touches credential files ───────────────────────────────────────── Step 3: Permission Scope Evaluate:

  • What files does it need to read?
  • What files does it need to write?
  • What commands does it run?
  • Does it need network access? To where?
  • Is the scope minimal for its stated purpose? Step 4: Risk Classification Risk Level Examples Action 🟢 LOW Notes, weather, formatting Basic review, install OK 🟡 MEDIUM File ops, browser, APIs Full code review required 🔴 HIGH Credentials, trading, system Human approval required ⛔ EXTREME Security configs, root access Do NOT install Output Format After vetting, produce this report:

SKILL VETTING REPORT ═══════════════════════════════════════ Skill: [name] Source: [ClawdHub / GitHub / other] Author: [username] Version: [version] ─────────────────────────────────────── METRICS: • Downloads/Stars: [count] • Last Updated: [date] • Files Reviewed: [count] ─────────────────────────────────────── RED FLAGS: [None / List them]

PERMISSIONS NEEDED: • Files: [list or "None"] • Network: [list or "None"]
• Commands: [list or "None"] ─────────────────────────────────────── RISK LEVEL: [🟢 LOW / 🟡 MEDIUM / 🔴 HIGH / ⛔ EXTREME]

VERDICT: [✅ SAFE TO INSTALL / ⚠️ INSTALL WITH CAUTION / ❌ DO NOT INSTALL]

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…