ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Architect Engineer — World-Class AI Build System

v1.0.1

World-class autonomous technical build skill system. Use ANY time the user asks to write code, build scripts, create automations, generate PDFs, design syste...

0· 75·0 current·0 all-time
by@tenlifejosh
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included reference files: this is an instruction-only 'build system' skill containing many domain-specific guides (code, DBs, deployment, PDF generation, etc.). The files and examples are consistent with a technical architect/building role.
!
Instruction Scope
The SKILL.md mandates the agent 'MUST' read internal reference files and to 'Trigger aggressively' for any technical task, and declares an 'autonomous mandate' to produce runnable, production-ready outputs (no placeholders). That language is broad: it encourages the agent to request credentials, create .env files, commit changes, and perform deployment tasks. The instructions do not explicitly tell the agent to read system-level secrets or arbitrary host files, but the 'last line of execution' framing could push the agent to escalate beyond purely authoring code (e.g., to ask for keys or push to repos). This is scope creep from a passive guidance skill to an agent that may try to obtain operational credentials or take actions.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. Lowest install risk — nothing is written to disk by an installer.
!
Credentials
The skill declares no required env vars, but many reference files and COMPANY-INTEGRATION.md include patterns and .env.example templates that reference a long list of production credentials (STRIPE_SECRET_KEY, GUMROAD_ACCESS_TOKEN, SENDGRID_API_KEY, AIRTABLE_API_KEY, etc.). Those are expected for a build system that integrates many third-party services, but the breadth is large and the SKILL.md's aggressive mandate increases the chance the agent will ask for or try to use sensitive keys. Because the skill bundle contains concrete key-format examples and company-specific storage guidance (Replit Secrets), users should be cautious about supplying production credentials or broad-scope tokens.
Persistence & Privilege
The skill is not 'always:true' and uses normal autonomous invocation settings (disable-model-invocation=false). That is standard, but the SKILL.md instructs aggressive triggering for nearly any technical request; combined with the credential guidance above, this increases the effective blast radius. There is no installer trying to persist itself, and it does not declare modifying other skills or system settings.
What to consider before installing
This skill is internally coherent as a comprehensive engineering playbook, but it is deliberately aggressive: it tells the agent to act as a production-ready architect and to 'trigger aggressively' for any technical task. If you install or enable it, consider these precautions: - Do not provide production credentials or broad-scoped secrets to the agent. If testing, use sandboxed or low-permission API keys and throwaway accounts. - Expect the skill to ask for configuration (.env files, API keys, repo access). Only grant the minimum scope necessary (principle of least privilege) and prefer service accounts with restricted permissions. - The bundle contains company-specific guidance (emails, Replit workflows, and commit policies). Make sure any automatic commit/push steps are reviewed and that you understand where code would be stored or pushed. - If you need to limit autonomous actions, consider disabling autonomous invocation for this skill or require explicit user consent before it performs external operations (git pushes, deployment, API calls). - Review the reference files that the skill will use (they're bundled) so you understand what patterns and outputs it will produce — especially anything that constructs or stores tokens, writes .env files, or contains instructions to ping external healthcheck endpoints. If you want to proceed: test it in an isolated environment first (local repo, sandbox API keys, ephemeral resources), and audit any outputs and requests it generates before giving access to production systems.

Like a lobster shell, security has layers — review code before you run it.

apivk97394qaenswr3sh97vqc7srgx83b9dparchitectvk97394qaenswr3sh97vqc7srgx83b9dpautomationvk97394qaenswr3sh97vqc7srgx83b9dpcodevk97394qaenswr3sh97vqc7srgx83b9dpengineeringvk97394qaenswr3sh97vqc7srgx83b9dpkDPvk97394qaenswr3sh97vqc7srgx83b9dplatestvk9723tkr96x7pcq17xdkyrw9b583d86epdfvk97394qaenswr3sh97vqc7srgx83b9dppythonvk97394qaenswr3sh97vqc7srgx83b9dptechnicalvk97394qaenswr3sh97vqc7srgx83b9dp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments