ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

skill-setup-flow

v1.0.0

为已安装技能创建标准化设置流程,包括目录结构、配置模板、核心文件更新和设置日志记录。

0· 60·0 current·0 all-time
by@tengcareergmail
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (standardize setup for installed skills) match the instructions: reading SKILL.md, creating directories/files under ~/skills/{skill-name}/, and updating integration docs. The requested capabilities are proportional to a setup/meta-skill.
Instruction Scope
Runtime instructions are limited to reading ~/skills/{skill-name}/SKILL.md and other docs, creating directories/files in user skill paths, and updating core docs (SOUL.md, AGENTS.md, MEMORY.md). This is within scope, but it explicitly modifies global/core integration files—worth reviewing since those are system-level artifacts.
Install Mechanism
Instruction-only skill; no install spec, no downloads, no binaries. Lowest install risk because nothing is written to disk by an installer beyond what the agent/user chooses to create at runtime.
Credentials
The skill declares no required env vars or credentials. However templates it creates (config.md) may include placeholders for API_KEYs; the skill does not request secrets itself but could encourage storing them in plaintext files. That is expected for a setup helper but users should avoid placing real secrets there unencrypted.
Persistence & Privilege
Skill is not always-enabled and can be invoked by the user. It does request creating and updating persistent files (including global docs like SOUL.md/AGENTS.md/MEMORY.md). That persistence is coherent with its purpose, but those write operations are persisted system-wide and should be reviewed/permissioned.
Assessment
This skill is a documentation-driven meta-tool and appears to do what it says: read a skill's docs and create standard local files and integration notes. Before you run it, do these simple checks: (1) review the SKILL.md/setup-template.md contents so you know exactly which files will be created/modified and where; (2) back up SOUL.md, AGENTS.md, MEMORY.md (or any global core files) before allowing automated edits; (3) never put real API keys, passwords, or other secrets into config.md or other plaintext files created by the template—use a secret store or encrypted storage instead; (4) because the skill source/homepage are unknown, prefer running it in a sandbox or inspect/grep the files in the skill package yourself before using any included automation scripts; and (5) if you want to automate execution, inspect any suggested shell scripts (setup-*.sh) and run them step-by-step rather than blindly executing them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97586qg4yyxf8phch8892t2ed844zgb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments