Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Smart Agent Template
v1.1.0Smart Agent 工作流模板:三重判断机制 + 自动更新 + Context 优化。包含完整的任务执行规范、WBS 拆分、流程豁免阈值、记忆管理等最佳实践。
⭐ 0· 66·0 current·0 all-time
byMark@whhaijun
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The files and code (memory manager, WBS, multi-agent docs, Telegram/Feishu bot integrations, ChromaDB/OpenClaw/Ollama guides) are broadly coherent with a 'smart agent workflow' template. However the registry metadata declares no required env vars or binaries while the included integration code and docs clearly expect many credentials and local services (Telegram token, Feishu app secrets, Claude/OpenAI API keys, Ollama local service, ChromaDB, OpenClaw). That mismatch is unexpected and should be justified by the author.
Instruction Scope
Runtime instructions and docs direct agents to read and enforce AGENTS.md (which the skill suggests embedding into other agents' system prompts), to auto-check/pull updates from GitHub/Gitee on startup, to run networked bots (webhooks/polling), and to access local memory files. The SKILL/README explicitly recommends making other agents 'read and obey' AGENTS.md (prompt injection risk). These instructions go beyond passive guidance and enable updating behavior and system-prompt modification.
Install Mechanism
There is no declared install spec, but the package contains scripts such as scripts/auto_update.sh and start scripts. The default auto_update.yaml enables update checks on startup (enabled: true, check_on_startup: true) and mentions silent updates. Automatic pull-and-update behavior from remote repositories creates a remote code execution/update vector unless you audit/disable it first.
Credentials
Registry lists no required environment variables, yet many files and docs require/expect secrets and endpoints (FEISHU_APP_ID/SECRET/VERIFICATION_TOKEN/ENCRYPT_KEY, TELEGRAM_BOT_TOKEN, CLAUDE_API_KEY, OPENAI_API_KEY, OLLAMA_BASE_URL, CHROMA/DB dirs, etc.). Requiring none in metadata while shipping integration code that needs sensitive credentials is an incoherence and raises risk of accidental credential exposure or misconfiguration.
Persistence & Privilege
The skill isn't marked always:true, but it defaults to auto-update on startup and provides scripts to check and pull remote changes. That gives it potential to change its own code after installation (automatic updates) which increases blast radius. It does not appear to modify other skills' configs, but the ability to fetch and install updates silently is a privilege that should be controlled.
Scan Findings in Context
[system-prompt-override] expected: The package explicitly recommends other agents read AGENTS.md and '遵守所有规范' (embed into system prompts). For a workflow template this behavior is expected, but it is also exactly the kind of prompt-injection capability flagged by the scanner and can be abused if you allow untrusted updates or enable automatic updates.
What to consider before installing
Before installing or running this skill: 1) Treat the repo as code that will run on your system — audit scripts/auto_update.sh and any start scripts. 2) Disable automatic updates (set config/auto_update.yaml enabled: false and do not run auto_update.sh) until you trust the source. 3) Inspect any code that will be run on startup (bot entrypoints, auto-update, health/metrics scripts) and verify they don't call external URLs you don't expect. 4) Be cautious about enabling integrations — only set FEISHU/TELEGRAM/CLAUDE/OPENAI/OLLAMA credentials if you reviewed the integration code; keep secrets out of shared/mounted workspaces. 5) If you plan to let other agents 'read and obey' AGENTS.md or inject it into system prompts, be aware this is effectively a system-prompt override; only do so with fully audited content. 6) Prefer running in an isolated environment (container or VM) and limit network access until you've audited the update mechanism and webhook handlers. 7) If you need higher assurance, ask the publisher for a source URL / signed release; absence of a homepage and unknown owner ID reduces trust.Like a lobster shell, security has layers — review code before you run it.
latestvk97dpznvgx5ma9c9hz1w9nzabn83x0rw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🤖 Clawdis