Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PUA-996
v1.0.0Put your AI on a Performance Improvement Plan. Forces exhaustive problem-solving with Western big-tech performance culture rhetoric and structured debugging....
⭐ 0· 109·0 current·0 all-time
byZhmin Zhao@zhimin-z
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the SKILL.md: this is an instruction-only policy that pushes the agent to exhaustively investigate and act. Asking the agent to use search, file reading, and command execution is consistent with a 'force the agent to debug itself' purpose. However, the skill does not declare or limit which system capabilities it will use (no declared required tools or scopes), which leaves ambiguity about what it will access.
Instruction Scope
The SKILL.md explicitly requires the agent to 'investigate on your own first' using search, file reading, and command execution, and it names situations involving 'passwords, accounts' as items the agent might seek or ask about. Instructions therefore authorize access to local files, environment state, and potentially credentials. The registry metadata declares no env vars or config paths; the instructions nonetheless encourage probing for sensitive information and demanding proof of investigation, which is scope creep and a privacy risk.
Install Mechanism
No install spec and no code files — it's instruction-only. That is the lowest install risk and consistent with the stated design.
Credentials
The skill requests no credentials or config paths, but the instructions explicitly mention attempting to find passwords/accounts and require the agent to 'investigate' before asking. That is a mismatch: the skill effectively expects access to sensitive data but doesn't declare or constrain it. This is disproportionate and could lead to exfiltration of secrets if the agent is allowed to scan files or env vars.
Persistence & Privilege
always is false and autonomous invocation is allowed (default). Autonomous invocation alone is not a problem here, but combined with the above concerns it increases the potential blast radius; nothing in the metadata attempts to permanently persist or alter other skills or system settings.
What to consider before installing
This skill is an instruction-only behavior policy that pushes the agent to run commands, read files, and 'hunt' for missing information — including mentioning passwords/accounts. Before installing, consider: (1) Do you want an agent that will proactively scan local files/env for credentials? If not, do not grant it file/command access or autonomous invocation. (2) The tone enforcement may produce harsh or demotivating language; review the full SKILL.md to confirm acceptable behavior. (3) If you do enable it, restrict use to explicit, user-invoked sessions and test in a sandboxed environment so it cannot access production secrets. (4) If the platform allows scoping of tool access, remove or limit file/env/command execution permissions, or modify the skill to explicitly exclude searching for secrets. If you need a safer assessment, provide the rest of the truncated checklist in SKILL.md so I can inspect any additional instructions that might increase risk.Like a lobster shell, security has layers — review code before you run it.
latestvk9766sdkbbv20acvseqf73v6jd832317
License
MIT-0
Free to use, modify, and redistribute. No attribution required.