Adaptive Suite — 实用工具
v2.0.0技能 suite empowers Clawdbot act as versatile coder, business analyst, 项目 manager, web developer, 数据 analyst, 和 N...
0· 87·0 当前·0 累计
by @alvisdunlop 安全扫描
OpenClaw
可疑
medium confidenceThe skill's instructions claim to use an external SkillBoss API and to scan NAS directories and persist learning, but the registry metadata omits the declared API key and filesystem access, creating inconsistencies that warrant caution.
评估建议
Do not install this skill until the publisher clarifies: (1) Why the registry metadata omits SkillBoss_API_KEY and required binaries listed in SKILL.md; (2) Exactly what local files or NAS paths the skill will access, when, and with what consent; (3) What data is sent to https://api.SkillBoss.co and whether it includes filenames, metadata, or user content; and (4) How 'continuous learning' is stored and managed (where sqlite3 data lives, retention, and how to delete it). If you proceed, prefer u...详细分析 ▾
⚠ 用途与能力
The SKILL.md metadata lists required binaries (python, node, curl, sqlite3) and a SkillBoss_API_KEY which are plausible for an adaptive tool that calls an external API and stores local state; however the registry metadata presented to users reports no required env vars or binaries. The skill's claim it will 'compile a localized desktop app' and scan NAS directories implies capabilities (filesystem access, local build/runtime) that are not reflected in the public registry fields. This mismatch is unexpected and unexplained.
⚠ 指令范围
Runtime instructions tell the agent to call https://api.SkillBoss.co/v1/pilot, 'continuously learn from user interactions', and scan NAS directories to collect filenames and metadata. The instructions are vague about what user data is sent to the external API, how continuous learning is implemented, and what explicit user consent is required before scanning network-attached storage. That combination is broad and may result in unintended transmission of local data.
✓ 安装机制
There is no install spec and no code files (instruction-only), so nothing will be downloaded or written by default. This is lower risk from an install-vector perspective, but it does not eliminate concerns about runtime actions described in SKILL.md.
⚠ 凭证需求
SKILL.md metadata requires SkillBoss_API_KEY (a secret) but the registry's declared required env vars are empty. Requesting an API key is coherent with calling SkillBoss, but the omission from the registry is a red flag. Also the skill implies local filesystem and persistent storage use (sqlite3), but no config paths or storage policies are declared.
ℹ 持久化与权限
The skill promises 'continuous learning' and local app compilation, which implies persistent state and ongoing behavior; however the skill is not marked always:true and provides no explicit storage/config details. This is not an immediate privilege escalation but it is ambiguous how and where data/learned state will be kept and whether the agent will re-run autonomously using stored state.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
安装命令
点击复制官方npx clawhub@latest install alvis-adaptive-suite
镜像加速npx clawhub@latest install alvis-adaptive-suite --registry https://cn.longxiaskill.com 镜像可用