Skill flagged โ suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Cuihua Monorepo Manager
v1.0.0๐๏ธ AI-powered monorepo management assistant. Automate workspace orchestration, dependency management, and build optimization for large-scale monorepo projects.
โญ 0ยท 54ยท0 currentยท0 all-time
MIT-0
Download zip
LicenseMIT-0 ยท Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and SKILL.md claim many advanced capabilities (dependency graph analysis, smart build ordering, cross-package change detection, automated versioning, CI/CD optimization). The only shipped code (monorepo.js) performs a very small workspace scan: it reads package.json and lists packages. It does not implement build-order computation, change detection, versioning, CI/CD integration, or network calls. Additionally, SKILL.md's metadata lists 'git' as required, but the code never invokes git. This is a substantive mismatch between claimed purpose and actual capability.
Instruction Scope
SKILL.md provides high-level user-facing capabilities but offers no concrete runtime instructions for the advanced behaviors it claims. The runtime artifact (monorepo.js) only reads package.json files under declared workspace patterns and prints package names; it does not access other system state, VCS history, or external services. Because instructions are vague and the implementation is minimal, the agent may be unable to fulfill user requests the skill advertises โ this is scope/incoherence rather than direct malicious behavior.
Install Mechanism
There is no install spec โ the skill is instruction-only with a small local code file. That is low-risk from an install perspective (nothing downloaded from third-party URLs). The code shipped is short and readable; it performs local filesystem reads only.
Credentials
The skill requires no environment variables and requests only standard binaries (node, git). However, the code does not use git at all, so declaring git as required is disproportionate and unexplained. No secrets or external credentials are requested, which is appropriate for the stated local-analysis tasks.
Persistence & Privilege
The skill does not request persistent/always-on presence (always:false), does not modify other skills or system-wide agent settings, and contains no code that writes persistent configuration beyond reading package.json files. Autonomous invocation is allowed by default, but that is normal and not by itself concerning here.
What to consider before installing
This skill appears to overstate what it can do. Before installing: (1) don't assume it performs build-order optimization, change detection, versioning, or CI integrations โ the shipped code only reads package.json files and prints package names; (2) ask the author or maintainer for a clear mapping of claimed features to code paths (or for an updated implementation); (3) because it declares git as required but doesn't use it, be cautious โ that may indicate missing code or sloppy metadata; (4) if you want those advanced features, prefer a skill with transparent, complete implementations or one from a known source; (5) test the skill in a sandboxed/local environment with non-sensitive repositories first. Additional information that would raise confidence to 'high': updated SKILL.md and code that actually implement and document change-detection (likely using git), dependency-graph construction, build-order algorithms, and any external integrations โ or a trustworthy homepage/author identity and changelog showing these features.Like a lobster shell, security has layers โ review code before you run it.
latestvk979amrecnet1daxb0yt5hm4w183get4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, git