Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agentscope Skill
v1.0.0This guide covers the design philosophy, core concepts, and practical usage of the AgentScope framework. Use this skill whenever the user wants to do anythin...
⭐ 0· 135·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (AgentScope guide/framework) matches the large Python codebase included. However the skill metadata declares no required env vars/binaries while the examples and SKILL.md expect provider API keys (e.g. DASHSCOPE_API_KEY, GAODE_API_KEY, OpenAI keys) and use tools that run shell/Python code — that mismatch is unexpected and unexplained.
Instruction Scope
SKILL.md instructs the agent to 'clone or update the AgentScope repository' into the skill directory and to register/run tools that execute shell commands and Python. It references environment variables and system files that are not declared in requires.env. The guide also includes examples that call execute_shell_command and execute_python_code (powerful actions). The pre-scan flagged 'system-prompt-override' patterns in SKILL.md, indicating possible prompt-injection content in the runtime instructions. These items expand scope beyond a simple documentation/help skill.
Install Mechanism
There is no formal install spec, but the package bundles a full library and many example files (hundreds of files). The documentation suggests pip install or git clone from GitHub (reasonable), yet the skill's metadata says 'instruction-only' while shipping the full repository — this mismatch is surprising and worth validating (source/trust).
Credentials
The skill declares no required env vars, yet SKILL.md and examples directly reference multiple environment variables (DASHSCOPE_API_KEY, GAODE_API_KEY, etc.) and use os.environ[...] without fallbacks. That implies the skill may read/require secrets that were not disclosed in metadata, which is disproportionate and a potential secret-exfiltration risk if combined with network-capable code.
Persistence & Privilege
always:false and model invocation allowed (normal). However SKILL.md explicitly tells the agent to clone/update the repository into the skill directory 'so that you can refer to it across different sessions' — that implies writing/updating files persistently and pulling code from the network. That behavior increases risk unless the source is verified and operations are sandboxed.
Scan Findings in Context
[system-prompt-override] unexpected: The SKILL.md contains wording/patterns flagged as system-prompt-override. A documentation/tutorial skill shouldn't include instructions to override system prompts. This could be a benign false positive (documentation quoting prompt examples) but is worth manual review.
[base64-block] unexpected: A base64-block pattern was detected inside SKILL.md. There's no legitimate need for opaque embedded payloads in a tutorial; inspect the file to confirm it isn't hiding instructions or binary blobs.
[unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. These may be used to obfuscate text or inject hidden instructions; verify whether they're intentional (formatting, examples) or suspicious.
What to consider before installing
What to consider before installing/using this skill:
- Source trust: The package contains a large AgentScope codebase and many examples but the registry shows 'source: unknown' and no homepage — verify the origin (official GitHub repo or trusted mirror) before use.
- Secrets: Examples reference multiple API keys and use os.environ[...] directly even though the skill metadata lists no required env vars. Do not provide sensitive credentials (OpenAI, cloud, GAODE, DASHSCOPE, etc.) until you confirm the skill's provenance and have inspected network calls.
- Code updates & cloning: The SKILL.md instructs cloning/updating the repo into the skill directory. That causes network pulls and persistent writes; only allow this in an isolated environment or sandbox and prefer pinning to a specific commit/known release.
- Runtime power: Examples register tools that execute shell and Python code — those make the agent capable of arbitrary code execution on your host. Run only in a sandboxed container or VM, and restrict what the agent can call.
- Prompt-injection signals: SKILL.md triggered prompt-injection heuristics (system prompt override, base64, unicode control chars). Manually inspect SKILL.md and other files for any hidden instructions or malicious prompts before granting the agent autonomous invocation.
- Recommended actions: clone the repository yourself and audit key files (SKILL.md, examples that register execute_shell_command/execute_python_code, any networking modules). Run the skill in an isolated environment (container/VM) without providing real credentials. If you decide to trust it, supply minimal, scoped credentials and monitor outbound network traffic.
If you'd like, I can: (1) list all places SKILL.md references environment variables and network endpoints, (2) extract and show the lines flagged by the prompt-injection scanner, or (3) suggest a safe sandbox run plan — tell me which you prefer.agentscope/examples/functionality/long_term_memory/reme/tool_memory_example.py:72
Dynamic code execution detected.
agentscope/docs/tutorial/en/src/task_realtime.py:369
WebSocket connection to non-standard port detected.
agentscope/docs/tutorial/zh_CN/src/task_realtime.py:364
WebSocket connection to non-standard port detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973dkhyj0e27hj1b122mrcgz583ge3y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.