ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zoriy Prompt Engineer

v1.0.0

Generates high-quality, structured, engineering-grade prompts. Use when the user asks to create, generate, or write a prompt for technical tasks — software d...

0· 354·0 current·0 all-time
by@zoriyai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the skill's instructions: it only generates structured technical prompts and requires no binaries, installs, or credentials. Asking the agent to always include a role and an external-docs directive (ClaudeKit Engineer + Context7) is plausible for a prompt-engineer skill, but those mandatory external references are not described elsewhere (no homepage, no docs), so the requirement is unexplained.
!
Instruction Scope
SKILL.md mandates injecting 'You are working as ClaudeKit Engineer' and 'Use Context7...' into every technical prompt and states these are 'non-negotiable defaults', yet later says 'If user explicitly forbids them, omit' (contradiction). The instructions direct implicit use of external systems (Context7) for up-to-date docs without declaring what that system is or whether network access or credentials are needed. There are no steps that read local files or secrets, so scope creep is limited, but the forced, unexplained external dependency is concerning.
Install Mechanism
Instruction-only skill with no install spec and no code files. Lowest-risk installation surface; nothing will be written to disk by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportional. However, it mandates using 'Context7' (an external docs/source) without declaring any required network access or credentials—this mismatch is unexplained and could lead the agent to call external endpoints or services implicitly if available in the runtime.
Persistence & Privilege
always is false and there are no install scripts or instructions to modify agent/system configuration. The skill does not request persistent privileges.
What to consider before installing
This skill is mostly coherent for generating engineering prompts, but it forces inclusion of two external directives — 'ClaudeKit Engineer' and 'Use Context7' — without explaining what those services are or whether they require network access or credentials. Before installing, ask the publisher: (1) what are 'ClaudeKit' and 'Context7' (URLs, who operates them, do they require tokens?), (2) why must they be injected by default and under what circumstances can they be omitted, and (3) whether the agent will make outbound requests to Context7 or any external endpoints. If you cannot get clear answers, treat the skill as higher-risk: avoid granting it autonomous invocation in sensitive environments and test it in a sandbox to observe whether it causes unexpected network activity or prompts injection.

Like a lobster shell, security has layers — review code before you run it.

latestvk979rmxjyx36pjrfpmfegy95fd831qtr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments