Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
asyncguard
v1.0.1Async/await anti-pattern analyzer -- detects promise misuse, async resource leaks, event loop blocking, missing cancellation, async error patterns, and coord...
⭐ 0· 39·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the delivered files and runtime behavior: shell scripts implement local pattern-based scanning, report generation, and git-hook integration. Required binaries (git, bash, python3, jq) are used by the scripts and are appropriate. The brew install of lefthook aligns with the stated git-hook feature.
Instruction Scope
SKILL.md and the scripts instruct only local actions: discovering files, running grep-based regex checks, computing scores, generating text/json/html reports, and optional hook installation. The code references only local config (~/.openclaw/openclaw.json) and local tools; there are no network calls or external endpoints invoked by the scripts.
Install Mechanism
Install spec uses a Homebrew formula (lefthook), a well-known package manager and tap. The package's own files are shipped in the skill bundle; no arbitrary downloads or remote extract/install steps are present in the provided code.
Credentials
The primary credential ASYNCGUARD_LICENSE_KEY is expected for tiered license checks and is declared. The license module also optionally reads ~/.openclaw/openclaw.json (declared in metadata) which is reasonable. One minor surprise: the license verification code conditionally uses an environment var named CLAWHUB_JWT_SECRET (not declared in requires.env) to verify JWT signatures if present — this is optional but worth noting since it's an undeclared, platform-prefixed secret that will be consulted if set.
Persistence & Privilege
always:false and normal model invocation; the skill can install lefthook git hooks (it modifies or creates lefthook.yml and runs lefthook install) which will run scans on pre-commit/pre-push in repositories. This is functionally expected for a linter but it does change repository hook state and can block commits/pushes until issues are addressed or hooks are disabled.
Assessment
This skill appears to do what it says: a purely local regex-based async pattern scanner with optional git-hook integration. Before installing: 1) Decide whether you want automatic hooks in your repos — the skill will create/append a lefthook.yml and run lefthook install which can block commits/pushes. 2) The Pro/Team features require ASYNCGUARD_LICENSE_KEY or an entry in ~/.openclaw/openclaw.json; the license code will read that file. 3) There is an optional CLAWHUB_JWT_SECRET environment variable referenced by the license verifier — only set that if you trust the signing source. 4) Review the included scripts (patterns.sh) if you want to confirm which regexes will run on your code. If you do not want hooks, avoid running the hooks install command; running one-shot scans (bash scripts/dispatcher.sh ...) remains local and safe.scripts/patterns.sh:101
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk973mb6c0xx0kw7nmdc5896xx184tqgp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
OSmacOS · Linux · Windows
Binsgit, bash, python3, jq
Primary envASYNCGUARD_LICENSE_KEY
Install
Install lefthook (git hooks manager)
Bins: lefthook
brew install lefthook