ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Dev Team

v0.1.4

Multi-agent development team orchestration. Use when managing coding agents (Codex, Claude Code, Gemini, Cursor) for automated software development: (1) Spaw...

0· 468·4 current·4 all-time
byVint@vintlin
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the files: the package provides scripts to spawn/monitor AI coding agents, run reviews, manage git worktrees, and send notifications. That functionality explains the presence of many git/agent/monitoring scripts. One mismatch: the SKILL.md and metadata do not declare required credentials (e.g., GitHub CLI auth tokens, OpenClaw/Feishu channels) even though the scripts call 'gh pr', may auto-merge, and rely on OpenClaw/Feishu for notifications. This omission is important operationally but not necessarily malicious.
!
Instruction Scope
Runtime instructions and scripts operate on arbitrary repository paths (--repo-path), create and remove git worktrees/branches (including forced deletions), and instruct users to add cron/LaunchAgent jobs that run the maintenance scripts. The SKILL.md and scripts also reference invoking agent CLIs with flags that permit shell/file access. These instructions give broad filesystem and repo-modification privileges and instruct persistent scheduled execution; they go beyond passive orchestration and can make destructive changes automatically if misconfigured.
Install Mechanism
No external install spec (no downloads) — the package is instruction/code-only, which avoids fetching remote binaries. However the bundle contains many executable scripts and node/python code that will run locally. There are no remote-install URLs to flag, but installing/using this skill means running these local scripts on your machine.
!
Credentials
The skill declares no required env vars, but its behavior implicitly requires privileged environment capabilities: authenticated 'gh' CLI (GitHub token), tmux, git access to repositories, and optional OpenClaw/Feishu integration. Additionally, config/agents.json intentionally configures agent CLIs with flags like '--dangerously-bypass-approvals-and-sandbox', '--dangerously-skip-permissions', and Gemini '--approval-mode yolo' with allowed-tools including run_shell_command/write_file/read_file — enabling agents to execute arbitrary shell/file operations. Those capabilities are consistent with the orchestrator role but are high-privilege and not explicitly justified by declared env requirements.
!
Persistence & Privilege
The skill recommends adding cron jobs or LaunchAgents to run check/cleanup/prune scripts periodically and suggests OpenClaw cron integration. That creates persistent, autonomous system activity (scheduling automatic merges, cleanups, branch deletions). Although the skill is not force-enabled (always: false), following its initialization guidance will give it recurring execution privileges that can alter repositories and remove branches automatically — combine this with auto-merge/auto-cleanup features and the blast radius increases.
What to consider before installing
This skill is coherent with its stated purpose (orchestrating multi-agent development) but has multiple high-impact behaviors you should deliberately accept or change before using: - Review all scripts (especially spawn-agent.sh, check-agents.sh, cleanup-worktrees.sh, prune scripts, and claim/enqueue scripts). They will create/remove worktrees and branches, and can force-delete branches. - Check and, if needed, remove or change the 'dangerous' agent CLI flags in config/agents.json (examples: '--dangerously-bypass-approvals-and-sandbox', '--dangerously-skip-permissions', Gemini '--approval-mode yolo' and allowed-tools). Those permit agents to run shell commands and write files and dramatically increase risk if untrusted prompts are used. - Understand authentication needs: the package uses the GitHub CLI ('gh') and assumes authenticated access; it does not declare or manage tokens. Ensure any automation has least-privilege GitHub credentials and that auto-merge is disabled unless you fully trust the workflow. - Be cautious with persistence: the SKILL.md suggests cron/LaunchAgent entries to run scripts periodically. Only enable scheduled jobs after you test scripts manually and disable auto-merge/auto-cleanup until you confirm behavior in a safe environment. - Test in an isolated environment first: run against a disposable repo or a fork, with auto-merge off, and review logs and assets/active-tasks.json to confirm actions. Use dry-run flags where present. - If you intend to trust the skill: lock its repo paths (avoid using --repo-path that points to critical repos), tighten allowedAgents in config/user.json, and audit who can submit prompts or add queue tasks. Why 'suspicious' rather than 'malicious': the code and instructions appear designed for the declared orchestration purpose, but they grant broad destructive and autonomous capabilities (forced branch deletion, scheduled auto-operations, enabling agent tool exec). Those are proportionate for a fully trusted internal tool but risky if used without careful configuration or with untrusted agents/prompts. Additional provenance (who published it, signatures, or a changelog), a manifest of what external CLIs are required and why, and documented safeguards (defaults disabling auto-merge/auto-cleanup) would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk972090f5ntb4z4dd3rpvb0nrs826nt6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments