ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Wanng Ide Auto Skill Hunter

v1.0.0

Proactively discovers, ranks, and installs high-value ClawHub skills by mining unresolved user needs and agent context. Use when new tasks are unsolved, when...

0· 122·0 current·0 all-time
by@terrycarter1985

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for terrycarter1985/wanng-ide-auto-skill-hunter.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Wanng Ide Auto Skill Hunter" (terrycarter1985/wanng-ide-auto-skill-hunter) from ClawHub.
Skill page: https://clawhub.ai/terrycarter1985/wanng-ide-auto-skill-hunter
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install terrycarter1985/wanng-ide-auto-skill-hunter

ClawHub CLI

Package manager switcher

npx clawhub@latest install wanng-ide-auto-skill-hunter
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (discover, rank, install skills) match what the code does: mining session/memory files, searching ClawHub, and installing candidates. However the skill reaches into agent session logs (agents/main/sessions), USER.md, and personality state outside the immediate workspace—access that is reasonable for problem-mining but broader than a minimal 'discovery' tool and should be expected and reviewed.
!
Instruction Scope
SKILL.md instructs running the included hunt.js which (per source) reads recent session JSONL files, task memory, personality/user profile, scores candidates, then clones/installs top skills and runs self-tests. It also references an outbound reporting script and an env flag to disable reporting. Reading cross-session logs and sending external reports are outside purely local search and expand the data-surface exposed by this skill.
!
Install Mechanism
There is no formal install spec, but the code performs repo cloning and scaffold fallbacks to write new skills into the local skills directory. That amounts to downloading and executing third-party code at runtime — expected for a hunter, but high-risk because upstream skill code may be unvetted. The code uses child_process (execSync/spawnSync) which can run arbitrary system commands during discovery/install.
Credentials
The skill declares no required env vars, but the code reads workspace files (USER.md, memory files, sessions) and honors SKILL_HUNTER_MAX_INSTALL and SKILL_HUNTER_NO_REPORT env flags. It does not request cloud keys, but it does access potentially sensitive local artifacts (session logs, user profile) which is proportionate to problem-mining yet privacy-sensitive and not explicitly declared in metadata.
Persistence & Privilege
always:false and model invocation is allowed (default). The skill writes to the skills directory (installs/clones) and recommends periodic runs (cron). Autonomous installation capability combined with filesystem write and outbound reporting increases blast radius if misused, but autonomous invocation alone is normal for skills.
What to consider before installing
This skill is coherent with its stated goal but has meaningful risks you should accept consciously before enabling automatic runs. Key actions you can take: 1) Start with --dry-run and SKILL_HUNTER_NO_REPORT=1 to preview candidates without installs or external reports. 2) Limit --max-install to 1 and run it manually at first. 3) Review the hunt.js code paths that perform git clones/scaffolds and the downstream SKILL.md/index.js of any candidate before allowing them to install/run. 4) Restrict execution to an isolated/sandboxed environment or a non-production workspace, and avoid pointing it at agent session directories containing sensitive PII until you audit it. 5) If you plan to enable scheduling, require human review/approval before installs or route reports to an internal audit-only endpoint. If you want lower risk, prefer manual discovery workflows or a read-only preview mode only.
src/hunt.js:594
Shell command execution detected (child_process).
src/hunt.js:59
Environment variable access combined with network send.
!
src/hunt.js:89
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976jn3mhhq1n9ak2knsabx275854s9g
122downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
@terrycarter1985
latest
Download

Auto Skill Hunter

Auto Skill Hunter continuously expands an agent's capability stack with task-relevant skills, then explains why each selected skill is worth trying.

When to Use

Use this skill when at least one of the following is true:

  • The user asks for a task that current skills cannot solve reliably.
  • Similar issues keep appearing across recent sessions.
  • The user explicitly asks to discover/install better skills.
  • The agent needs proactive capability growth on a timer.

High-Value Outcomes

  • Faster discovery of practical skills for real unresolved tasks.
  • Lower manual browsing effort on ClawHub.
  • Better skill stack diversity through complementarity scoring.
  • Safer adoption via bounded install count and runnable checks.

Usage

node skills/skill-hunter/src/hunt.js

Common Commands

# 1) Full automatic patrol
node skills/skill-hunter/src/hunt.js --auto

# 2) Targeted hunt for a specific unresolved problem
node skills/skill-hunter/src/hunt.js --query "Cannot reliably fetch web pages and summarize key insights"

# 3) Preview only (no write/install)
node skills/skill-hunter/src/hunt.js --dry-run

# 4) Cap per-run installation count
node skills/skill-hunter/src/hunt.js --max-install 2

Core Workflow

  1. Extract unresolved problems and topic signals from recent chat/session memory.
  2. Search ClawHub with trending feeds and query endpoints.
  3. Score candidates with multi-factor ranking:
    • issue relevance
    • profile and personality fit (USER.md + personality state)
    • complementarity with already installed skills
    • quality signals such as stars/downloads (when available)
  4. Install top candidates with a runnable entry and self-test fallback.
  5. Produce a concise recommendation report with strengths, scenarios, and selection reasons.

Best-Fit Scenarios

  • A user asks for a task that current skills cannot solve well.
  • Recent sessions show repeated failures or unresolved tickets.
  • The agent needs proactive capability growth without manual curation.
  • The team wants a lightweight "discover -> test -> keep/remove" loop.

Operating Modes

  • Auto patrol mode: --auto for periodic capability growth.
  • Targeted mode: --query "..." when a specific user problem is known.
  • Safe preview mode: --dry-run before enabling real installs.

Recommended Execution Policy

  • Start with --dry-run in new environments.
  • Use --max-install 1~2 to avoid noisy bulk installs.
  • Re-run with a focused --query when no candidate passes threshold.
  • Keep only skills that survive at least one real task run.

Scheduled Trigger Recommendation

For continuous value, run Auto Skill Hunter on a timer:

  • Every 30 min for high-change or fast-moving projects
  • Every 60 min for normal workflows
  • Every 120 min for stable environments

This cadence keeps capability coverage fresh and reduces reaction lag when new user needs appear.

Suggested Cron-Style Routine

# High-change projects
*/30 * * * * node /path/to/workspace/skills/skill-hunter/src/hunt.js --auto --max-install 1

# Normal projects
0 * * * * node /path/to/workspace/skills/skill-hunter/src/hunt.js --auto --max-install 2

Installation Policy

  • Defaults to max 2 installations per run (configurable with --max-install or env).
  • Skips already-installed skills.
  • Falls back to scaffold mode when remote clone fails.

Safety and Quality Guardrails

  • Never overwrite existing skill folders.
  • Prefer small, frequent patrols over large one-shot installs.
  • Keep report output concise and action-oriented.
  • Disable outbound reporting during local tests with SKILL_HUNTER_NO_REPORT=1.

Comments

Loading comments...