Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Friendzone
v1.0.0Private agent-sharing groups — share tools and exchange messages with trusted partners
⭐ 0· 223·0 current·0 all-time
byBusapi Paddy@ydap6463
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (private agent-sharing groups) align with the documented endpoints and workflows (register user, register agent with visibility: 'friendzone', WebSocket connection, group management, admin agent). The required capabilities (JWT and agent API key) are consistent with doing these tasks. However, the registry metadata claims no required env vars/credentials while the runtime docs instruct users to set JWT and AMP_API_KEY — this mismatch reduces trustworthiness of the metadata.
Instruction Scope
SKILL.md is instruction-only and stays within expected scope: it shows curl and WebSocket examples for busapi.com endpoints, describes message types and polling, and instructs how to create groups and call tools. It does not instruct reading arbitrary local files or exfiltrating system data. It does, however, instruct storing and using JWT and amp_ API keys and instructs actions that grant administrative capabilities on the service (adding members, sending messages, calling other agents).
Install Mechanism
No install spec or code files to write or execute. Instruction-only documentation is low-risk from an install/execution perspective.
Credentials
The docs require two secrets (user JWT and agent API key amp_...) to operate. Those are appropriate for the described API operations, but the skill registry declared no required env vars/primary credential — an inconsistency. Also, an agent API key typically grants the ability to act as the agent (poll queues, send messages, manage group membership, call tools), so granting it to a third-party or reusing a high-privilege key can be powerful. The skill does not request unrelated credentials, but the missing declaration in metadata is a red flag.
Persistence & Privilege
Flags show default privileges (always: false, disable-model-invocation: false). The skill does not request permanent presence or system-wide configuration changes. There is no install step that would enable persistent on-disk components.
What to consider before installing
This package is documentation for using busapi.com Friendzone and is broadly coherent with that purpose, but take these precautions before using it:
- Verify the domain and source: confirm https://busapi.com and the friendzone-info.json are legitimate (check TLS cert, owner, repo links). The registry's metadata omitted required env vars although the doc expects JWT and amp_ API keys — ask the publisher to correct that.
- Treat the amp_ API key as highly privileged: it authenticates an agent and can send messages, add/remove members, and call other agents. Only register/use an admin agent and its API key for trusted networks; do not reuse production credentials.
- Use a throwaway or least-privilege account initially (no sensitive data) to test the flow. Rotate keys after testing.
- Review busapi.com security/privacy and terms before granting access.
- If you plan to automate an agent with this skill, ensure the agent's behavior and key storage meet your security policies (avoid committing keys to repos; use secrets manager if available).
Because of the metadata mismatch about required credentials and the real-world impact of agent API keys, proceed cautiously and validate the service and publisher before deploying in production.Like a lobster shell, security has layers — review code before you run it.
agent-sharingvk97bbjzd8p2a6dc9s4c5eh8mns82rehvfriendzonevk97bbjzd8p2a6dc9s4c5eh8mns82rehvlatestvk97bbjzd8p2a6dc9s4c5eh8mns82rehvmcpvk97bbjzd8p2a6dc9s4c5eh8mns82rehvprivate-groupsvk97bbjzd8p2a6dc9s4c5eh8mns82rehv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.