ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NoPUA

v0.1.0

The anti-PUA. Drives AI with wisdom, trust, and inner motivation instead of fear and threats. Activates on: task failed 2+ times, about to give up, suggestin...

0· 339·4 current·4 all-time
by无极WUJI@wuji-labs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the SKILL.md: an instruction-only helper that encourages more proactive behavior. It requests no binaries, env vars, or installs, which is proportionate to an advice-style skill.
!
Instruction Scope
The SKILL.md explicitly tells the agent to 'investigate with tools first', use search, file reading, command execution, 'run build/test/curl, paste the result', and to proactively check related files and configs. It applies to 'all task types' and gives no constraints on which files, paths, or tools to use or when to ask for user consent. That open-ended direction can cause the agent to access or transmit sensitive data unexpectedly.
Install Mechanism
No install spec and no code files (instruction-only). Nothing will be written to disk by an installer; the static scanner had no code to analyze.
Credentials
The skill declares no environment variables, credentials, or config paths. The SKILL.md does not request secrets or external credentials.
Persistence & Privilege
always:false (normal). The skill is user-invocable and allows model invocation (default). Combined with the broad 'investigate first' instructions, autonomous invocation or an agent with broad tool permissions increases the risk surface — but the skill itself does not request persistent privileges or alter other skills.
Scan Findings in Context
[no_regex_findings] expected: Static scanner found nothing; this is expected because the package is instruction-only (SKILL.md) and contains no code files for regex to match.
What to consider before installing
This skill is an instruction-only 'be more proactive' advisor and has no install footprint or requested secrets — that part is low risk. However, its runtime guidance tells the agent to read files, run commands, and probe related configs across all tasks without explicit limits. Before installing, decide how you'll allow the agent to act: (1) only enable this skill when the agent's tool access is intentionally granted; (2) restrict or audit the agent's file/command permissions so 'investigation' cannot access sensitive directories; (3) prefer user-invoked use rather than autonomous invocation if you worry about surprise actions; (4) test in a safe environment and review the SKILL.md to add or request safeguards (e.g., explicit consent before reading files outside the current project). If you cannot limit the agent's tools or want guaranteed containment, avoid enabling this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk975yj4vwenhgz6ah5j1fkttgx834k4h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments