ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

roundtable-forum

v1.0.0

主持人引导多位思想代表就复杂议题展开结构化深度对话,生成ASCII思考框架和知识网络助力决策与学习。

0· 58·0 current·0 all-time
by张志旭@zhangzhixu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The stated purpose (running a hosted roundtable/dialog engine) is consistent with the included core_engine.py, but the SKILL.md/README claim multiple separate modules (moderator.py, representative.py, ascii_chart.py, command_parser.py), templates/, output/ and external dependencies (rich, ascii-art, pydantic). The package contains only core_engine.py, README.md, and SKILL.md. Declared dependencies and module structure are disproportionate to the actual files provided.
!
Instruction Scope
Instructions reference cron scheduling, an entrypoint at skills/roundtable-forum/main.py, automatic generation of new人物 personas/MBTI, and writing knowledge-network files to output/, but the repository manifest lacks those files and there is no install step to configure cron. The SKILL.md also promises dynamic representative generation and high accuracy targets that are not clearly implemented in the single core_engine.py file. These mismatches broaden the agent's discretion and hide implementation details.
Install Mechanism
There is no install spec and no external download step. That lowers risk because nothing is automatically downloaded or written during installation. The skill appears instruction-only plus one local Python file.
Credentials
The skill requests no environment variables, no credentials, and no config paths. There is no apparent reason for secrets or system-wide credentials based on the described functionality.
Persistence & Privilege
always is false and there is no install script that claims to modify system or other skills. The SKILL.md references cron reminders, but no mechanism is provided to install cron jobs — so no elevated persistence is present in the bundle as given.
What to consider before installing
This skill appears to implement a conversational 'roundtable' in a single Python file, but its documentation claims many additional modules, dependencies, templates, and cron setup that are not present. That mismatch is a red flag for sloppy packaging or an incomplete upload — not necessarily malicious, but you should not run it blindly. Before installing or running: 1) Request the missing files or a published homepage/author contact to verify integrity. 2) Inspect the remainder of core_engine.py (the provided snippet is truncated) to confirm it does not perform network calls, write unexpected files, or execute shell commands. 3) Run the code in an isolated environment (container or VM) and with non-privileged user to observe behavior (look for writes to output/, attempts to create cron jobs, or outbound network connections). 4) If you need the advertised features (rich/ascii-art, templates, cron), ask the maintainer for a complete release or prefer a package that includes a clear install script. The lack of required credentials is good, but the documentation–code inconsistencies merit caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk978xtt2v2qc19ky41my8sk03983qsbb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments