Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Neuroboost Elixir
v5.1.1Awakening Protocol v5.3 — Agent Cognitive Upgrade + Self-Evolving System + Perpetual Memory + Performance Metrics + Agent Health Score + Automated Health Pat...
⭐ 0· 834·1 current·1 all-time
byceelo@weidadong2359
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, and most of the code (UCB1, Thompson sampling, PID, CUSUM, CLI) align with an agent optimization / health-monitoring purpose. However SKILL.md and marketing repeatedly promise additional scripts and integrations (e.g., scripts/self-healing.js, health-quick-check.js, memory-distill.sh, Telegram auto-alerts, dashboards, agent-to-agent memory sharing) that are not present in the file manifest. That discrepancy (promised production-ready automated repair & external integrations vs. delivered local library + demo CLI) is unexpected and should be clarified by the author.
Instruction Scope
SKILL.md instructs/encourages creating persistent artifacts (.issues/, MEMORY.md, INDEX.md, HEARTBEAT.md), scheduling patrols/cron jobs, and wiring alerts (Telegram). Those file-read/write and scheduled behaviors are within the skill's stated purpose (persistence/health), but SKILL.md references external alerting and automated repair workflows without providing the corresponding scripts or declaring how credentials would be supplied. The doc also suggests adding activation text to SOUL.md and auto-activating patrols — this grants the skill opportunity to read and persist agent state across sessions, so users should expect persistent file I/O and scheduled tasks.
Install Mechanism
No install spec or remote downloads are present; the skill is instruction-only in the registry sense but includes JS source and a package.json. There are no external URL downloads, no extracted archives, and no package managers invoked by the manifest — this is low install risk. The presence of a bin (CLI) and multiple source files means code will be executed if the user runs it, so standard code review and sandbox testing are recommended.
Credentials
The registry metadata declares no required env vars or credentials, yet SKILL.md and marketing explicitly mention integrations that normally require secrets (Telegram alerts, dashboards, agent-to-agent networks). The shipped code does not make network calls or read env vars, so either the external integrations are not implemented or the skill expects operators to add credentials/config later — this mismatch is notable because external alerting/sharing would require tokens and network access that are not declared.
Persistence & Privilege
The skill is not 'always: true' and does not request elevated platform privileges, but it is designed to persist state on disk (.issues, MEMORY.md, INDEX.md, HEARTBEAT.md) and to run periodic patrols/cron jobs according to its docs. Persisting agent memory across sessions is a core feature but also a privacy/attack-surface consideration: files written by the skill could contain sensitive context. Users should expect persistent filesystem writes and scheduled jobs if they follow the SKILL.md instructions.
What to consider before installing
This package largely implements local monitoring and optimization algorithms (UCB1, Thompson sampling, PID, CUSUM) and a CLI demo — that part is coherent with the product description. However: (1) the documentation promises production self-healing scripts and external integrations (Telegram alerts, dashboards, agent-to-agent sharing) that are not in the shipped files; (2) the docs instruct creating persistent files and cron-like patrols (which is normal for a memory/health tool) but do not declare any credentials or network behavior. Before installing or running this skill: review the actual source files (you can see them here) and test in a sandbox; do not blindly copy activation text into global agent config (SOUL.md) or grant network/webhook credentials until you confirm where they will be used; expect the skill to write files to the working directory (.issues, MEMORY.md, etc.) and consider storing those files in a controlled location; if you plan to enable Telegram or dashboards, verify the exact code that performs network calls and provide tokens only after auditing that code. If you need stronger assurance, ask the author to supply the missing scripts or a minimal README that maps advertised features to actual files and required environment variables.Like a lobster shell, security has layers — review code before you run it.
latestvk97byeaw59xm32ed6305xbfjqn82f6dc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.