Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agent Teams Simplify And Harden
v1.0.0Implementation + audit loop using parallel agent teams with structured simplify, harden, and document passes. Spawns implementation agents to do the work, th...
⭐ 0· 281·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description describe coordinating implementation and audit agent teams; the instructions request creating parallel implementer agents (read/write) and read-only auditors, running builds/tests, and using git diffs — all consistent with implementing and hardening code.
Instruction Scope
The runtime instructions explicitly tell the agent to spawn 'general-purpose' implementation agents that 'can read, write, and edit files' and to use mode: bypassPermissions. They also instruct executing build/test commands and running git diffs across the repo. These actions go beyond passive analysis and allow automated, parallel modification of repository files and repeated execution — appropriate for the purpose but high-risk if misused or run without strict isolation and human review.
Install Mechanism
The registry lists no install spec, but the SKILL.md contains an install example using 'npx skills add pskoett/pskoett-ai-skills/agent-teams-simplify-and-harden', which would fetch code remotely. The skill itself is instruction-only (no code files), so there is no built-in installer, but following the README's npx install would execute a remote package — this should be verified before running.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. However, the instructions rely on repository access, running build/test commands, and spawning agents with filesystem write capability; ensure these permissions are intentionally granted and isolated, since the skill does not request explicit credentials but still requires substantial repository-level privileges.
Persistence & Privilege
The skill does not set always:true, which is good, but it directs creating multiple autonomous subagents with write access and uses 'mode: bypassPermissions'. Combined with autonomous invocation, this increases blast radius: subagents could make widespread repo changes if not constrained. Verify that your agent platform enforces least privilege, audit logs, and human approvals for high-impact changes.
What to consider before installing
This skill is coherent with its purpose (coordinating implementers and auditors) but grants broad privileges: it instructs spawning write-capable agents and even recommends 'bypassPermissions', and the README suggests installing code via npx from a remote repo. Before installing or running it: 1) verify the source of the npx package (review the remote repository and its code), 2) run the workflow in an isolated environment or fork/branch to avoid accidental changes to production, 3) disable or remove 'bypassPermissions' unless you understand and control its effects, 4) require human review/approval for audit rounds that resolve high/critical findings, and 5) ensure audit logs and rollback procedures are available. Note: the static scanner had no code to analyze (instruction-only), which is not evidence of safety — the instructions themselves prescribe high-privilege operations.Like a lobster shell, security has layers — review code before you run it.
latestvk97fv4qxfx2y8vmtwkr601arvx82a29j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.