Enterprise Agent OS
v1.0.0Cross-system permission orchestration, workflow automation, and data consistency for enterprise software
⭐ 0· 221·0 current·0 all-time
byJustin Liu@zhenstaff
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The stated purpose (cross-system permission orchestration) legitimately requires connectors and credentials for enterprise systems. However the registry metadata declares no required binaries or env vars while SKILL.md repeatedly requires Node.js, PostgreSQL, Redis and credentials for Salesforce, Google service account keys, Slack webhooks, etc. That mismatch is incoherent: either the metadata is incomplete or the package is mis-described.
Instruction Scope
Runtime instructions tell agents/operators to git clone the repo, run npm install, run DB migrations, edit a .env with system credentials, place a Google service-account key file path, start the service, and invoke local REST/GraphQL endpoints. Examples also show sending notifications via SLACK_WEBHOOK. These instructions require access to secrets, local files, and enterprise APIs and could perform cross-system changes — all of which go well beyond a minimal read-only helper.
Install Mechanism
There is no formal install spec in the registry (instruction-only), which lowers automated-install risk. But SKILL.md tells a human/agent to clone and run arbitrary project code (npm install, migrations, start). Because code is not bundled for static review, the scanner had nothing to analyze — making manual code review of the repository essential before executing those commands.
Credentials
The package metadata lists zero required env vars, yet the docs and examples require many sensitive values (SALESFORCE_CLIENT_ID/SECRET/INSTANCE_URL, GOOGLE_SERVICE_ACCOUNT_KEY file path, GOOGLE_ADMIN_EMAIL, SLACK_WEBHOOK, DATABASE_URL, REDIS_URL, JWT secrets, etc.). For an orchestration platform it's expected to need some credentials, but the skill should declare them explicitly. The presence of file-path secrets (service account JSON), webhooks, and OAuth secrets raises risk of credential exposure or misuse if the agent or installer is given broad access.
Persistence & Privilege
The skill is not marked always:true (good) but model invocation is allowed (default). Given the skill's ability to orchestrate cross-system actions (provision accounts, run workflows, call adapters), autonomous invocation combined with undeclared credential requirements increases blast radius: an agent that obtains credentials via instructions or misconfiguration could make wide-impact changes. This is a contextual privilege concern (not an automatic disqualification).
What to consider before installing
Do not run or install this project in production or give it live credentials until you or your security team have reviewed the repository and code. Specific steps to reduce risk: 1) Verify the repository origin and that the repository contents match the packaged SKILL.md (the README references inconsistent org names/URLs and support info). 2) Manually review code (adapters, auth flows, webhook handling, any outbound network calls) before running npm install or database migrations. 3) Provide only least-privilege test credentials in an isolated environment (no production tokens); prefer read-only tokens or synthetic test tenants. 4) Treat GOOGLE_SERVICE_ACCOUNT_KEY and OAuth secrets as high-risk; do not place production keys on disk until audited. 5) If you plan to let agents invoke this autonomously, require explicit authorization and limit which env vars/credentials the agent can access; consider disabling autonomous invocation until reviewed. 6) After testing, rotate any credentials used. 7) Ask the publisher for an explicit list of required env vars, config paths, and a signed/reproducible release so you can review the code that will run.Like a lobster shell, security has layers — review code before you run it.
latestvk97bqqyf079dge0ms2x4g9r3bn82e46s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.