ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Crucible Forge

v1.0.3

Systematic workspace reorganization for AI agent users. Scans workspace, builds safety-first reorganization plan, executes with zero data loss, and verifies...

0· 308·1 current·1 all-time
byShadow Rose@theshadowrose
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the delivered code and instructions: scanner, planner, and auditor components operate over a local workspace and generate human-reviewable plans; no unexplained external credentials, binaries, or services are requested.
Instruction Scope
SKILL.md and the scripts indicate wide-ranging filesystem access (scanning, hashing, manifest generation, moving targets in generated plans) and run local system commands (e.g., ps). This is coherent with the stated purpose but means the skill will read many files (including potentially sensitive ones). Also, load_config executes a supplied .py config file — necessary for templating but increases risk if the config is obtained from an untrusted source.
Install Mechanism
No install spec is provided and the code uses only the Python standard library. No remote downloads or archive extraction detected in the provided files.
Credentials
The skill requests no environment variables, no credentials, and no platform services. Its access to local filesystem and subprocess invocation is proportional to a workspace scanner/planner tool.
Persistence & Privilege
always is false and the skill does not claim autonomous auto-execution of plans. It writes manifests and output files to workspace-specified locations (OUTPUT_DIR/AUDIT_DIR) which is expected for this functionality.
Assessment
This tool appears internally consistent with its purpose, but it performs broad local filesystem reads/writes and executes a user-supplied Python config file. Before using: 1) Review and, if needed, sanitize the config you supply (config can execute arbitrary Python). 2) Run initial scans on a copy or a non-production workspace to observe behavior. 3) Protect sensitive paths (add them to PROTECTED_DIRS/PROTECTED_FILES) and ensure a verified backup exists in BACKUP_DIR before generating plans. 4) Plans include shell rollback commands but Forge does not auto-execute moves — you must apply moves yourself (recommended) or inspect/modify any automation you add. 5) Prefer running in an isolated environment (non-root account or container) if the workspace contains secrets or system files. If you want, I can flag specific code lines to review or summarize where the scripts read/write files and run subprocesses.

Like a lobster shell, security has layers — review code before you run it.

analysisvk97f4k3gw4z8ry6g1c57p5nd5982jzzrdebuggingvk97f4k3gw4z8ry6g1c57p5nd5982jzzrforensicsvk97f4k3gw4z8ry6g1c57p5nd5982jzzrlatestvk97f4k3gw4z8ry6g1c57p5nd5982jzzrlearningvk97f4k3gw4z8ry6g1c57p5nd5982jzzrpost-mortemvk97f4k3gw4z8ry6g1c57p5nd5982jzzr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments