Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Openclaw Agent Governance
v1.0.0Set up or audit an OpenClaw agent workspace with standardized governance files. Use when: (1) creating a new agent workspace, (2) auditing existing agent fil...
⭐ 0· 73·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (create/audit governance files) matches the actions described (create MEMORY.md, AGENTS.md, memory/*). However, the SKILL.md repeatedly references an external command 'agent-governance' and a set of template files under references/ that are not included in the skill bundle and are not declared in requirements. It's unclear where the templates or the 'agent-governance' executable come from, which is an incoherence between claimed capability and what the skill actually provides/needs.
Instruction Scope
Runtime instructions tell the agent to create/modify files under ~/.openclaw/workspace-<agent-name> and to run commands like `agent-governance apply` / `agent-governance audit`. They also direct appending to existing AGENTS.md. The instructions assume templates live at references/* and that the 'agent-governance' tool exists; neither the templates nor the tool are supplied or declared. Writing to a user's home directory and modifying existing files are legitimate for this purpose but should be explicit and accompanied by templates or safe read-only audit options. The instructions do include a prohibition against running certain gateway commands, which is policy guidance but not a security risk by itself.
Install Mechanism
This is an instruction-only skill (no install spec, no code files), which is low risk in itself. However, because the instructions expect an external CLI ('agent-governance') and template files, the lack of an install method or included templates is a gap: either the environment must already have that tool/templates, or the instructions are incomplete. There is no download/execute risk from the skill itself.
Credentials
The skill requests no environment variables, credentials, or declared config paths. That is appropriate in principle. However, the instructions write to ~/.openclaw and other workspace paths without declaring them as required config paths; the skill should explicitly document that it will create files under the user's home directory so users can consent and back up existing data.
Persistence & Privilege
The skill does not request always:true and does not claim system-wide privileges. It instructs creation of persistent files in a user workspace, which is consistent with its purpose and not unusually privileged. It does not attempt to modify other skills or system-wide agent settings.
What to consider before installing
This skill's content looks like valid governance guidance, but it has gaps you should resolve before running it. Ask the author (or check the environment) for: (1) the 'agent-governance' CLI or exact commands to run — the SKILL.md assumes this tool exists but the skill bundle doesn't include or install it; (2) the template files under references/ (MEMORY.md.template, AGENTS.md.template, etc.) — these are referenced but not supplied; (3) explicit confirmation that the script will write to ~/.openclaw and whether you should back up any existing AGENTS.md or memory files. Until those are provided, prefer running the 'audit' steps in a read-only/manual mode (inspect what would change) or run any 'apply' activity in a disposable/test workspace. Also verify templates do not contain secrets or external endpoints, and require user confirmation before any automated 'gateway restart' or other privileged operations.Like a lobster shell, security has layers — review code before you run it.
latestvk973yjwjt7fsgha30r5yn0f2yh83nc5n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.