Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Her Agent
v3.0.0Self-evolving AI Agent with thinking chain, knowledge graph, emotion system, and Claude Code-inspired execution flow. Provides transparent thinking, memory m...
⭐ 1· 85·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
SKILL.md promises web_fetch, installing new skills, sub-agent spawning and a Claude Code-style execution/permission system. The included scripts mostly implement local file I/O, simple XP/level updates, and a limited exec wrapper; there is no real web_fetch or package-install mechanism, and the referenced update_config.py is not present in the file manifest. The capability claims are therefore partially unimplemented/overstated, which is an incoherence (overclaiming).
Instruction Scope
Runtime instructions and scripts allow reading and writing files under a hardcoded WORKSPACE (/Users/wenvis/.openclaw/workspace) and permit shell command execution when permission_level == 'full'. SKILL.md describes high-level tools (exec, process, sessions_spawn, web_search) that would allow broad file and network access; the concrete scripts are mostly local stubs but are permissive (exec wrapper uses exec "$@"), so an agent given full permissions could run arbitrary commands. The skill also enables self-modification in config, which gives it scope to change behavior at runtime.
Install Mechanism
There is no install spec and no remote downloads. All code is bundled with the skill. From an install-of-code perspective this is low risk (nothing will be fetched or extracted at install time).
Credentials
The skill requests no environment variables or external credentials (proportionate). However, it uses a hardcoded WORKSPACE path and its config indicates exec/process/web_search capabilities; even without requesting secrets, the scripts can read and write local files and create notes in the user's workspace. Absence of declared credentials does not eliminate local-file access risk.
Persistence & Privilege
always is false (good). The skill enables self_modification and spawn_subagents in its config and can persist state under memory/her-agent/. That self-modifying behavior combined with autonomous invocation (disable-model-invocation is false by default) increases blast radius if the agent is granted high privileges, but the skill does not forcibly make itself always-on or alter other skills' configs.
What to consider before installing
What to consider before installing:
- The skill advertises network learning, installing skills, and sub-agent spawning but the shipped code is mostly local stubs — this mismatch could be sloppy engineering or a sign of incomplete/unsafe features. Ask the author what "install new Skill" and "web_fetch" actually do and where they would download code from.
- The scripts can read/write files under a hardcoded WORKSPACE (/Users/wenvis/.openclaw/workspace) and, if set to full permission, can execute arbitrary shell commands via exec. If you enable this skill for autonomous use, avoid granting it 'full' permissions and run it in a restricted/sandboxed environment.
- Missing/mentioned files: SKILL.md refers to update_config.py but it is not present. Confirm intended runtime artifacts.
- If you need to evaluate or run it: inspect/modify the scripts to remove hardcoded paths, restrict allowed commands, and disable self_modification or skill-install features until you trust the source. Prefer running in an isolated container or VM and do not run with elevated privileges or access to sensitive directories.
- If you do not control where the agent could fetch code from (no registry/homepage provided), treat "install new skills" and web/network claims as red flags and require the author to explicitly document trusted endpoints and install flows.Like a lobster shell, security has layers — review code before you run it.
latestvk97dfkctcrrcny4b64tyhqhh05841xzr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.