SOTA Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears purpose-aligned for SOTA planning and review, but it runs local Python helpers and writes persistent campaign/evidence records that users should keep scoped and sanitized.
This looks reasonable for a local SOTA planning workflow. Before installing or using it, make a dedicated campaign workspace, inspect the helper scripts you will run, keep all output paths inside that workspace, and do not put secrets, private links, local endpoints, or account identifiers into campaign artifacts. The provided materials do not justify giving it API keys or sensitive credentials.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less upstream provenance to rely on when deciding whether to run the included helper scripts.
The artifact provenance is limited, but there is no remote installer, package bootstrap, or hidden dependency shown in the provided materials.
Source: unknown ... No install spec — this is an instruction-only skill.
Review the included scripts before running them, prefer a verified publisher/source when available, and obtain the omitted file contents if you need a full source audit.
The scripts can create or update local campaign records in paths the user provides.
The skill asks the user or agent to run local Python helpers that create files under user-selected paths. This is disclosed and central to the skill's purpose, with explicit workspace scoping guidance.
Use `python3 {baseDir}/scripts/init_sota_campaign.py --root <dir> ...` ... `Keep file writes inside one campaign workspace.`Run the helpers only in a dedicated campaign directory, check all `--out`, `--root`, `--bundle-root`, and `--output-root` paths, and avoid system or unrelated home-directory paths.
Benchmark notes, URLs, local paths, or run summaries may persist in campaign files and could be reused or shared later.
The skill intentionally creates durable campaign records from external evidence. The artifacts include sensible sanitization guidance, but users still need to avoid placing secrets or private identifiers into those records.
Durable campaign records should contain aliases, public URLs, checksums, metric tables, and review outcomes. They should not contain local debug endpoints, private links, credentials, account identifiers, or private profile names.
Keep records sanitized, review generated files before sharing or publishing, and do not include credentials, private URLs, account names, local endpoints, or sensitive dataset identifiers.