Skill Trust Decision
ai-intelligent-asset-management
Skill presents itself as a functional IT asset management system but contains zero executable code, creating a deceptive facade with suspicious embedded metadata.
Most direct threat evidence
01
Skill presents as legitimate IT asset management tool with professional pricing tiers reconnaissance · SKILL.md
02
Installation instructions reference non-existent requirements.txt and app.py deception · SKILL.md
03
No code files exist - skill is purely documentation with no verifiable functionality concealment · SKILL.md
Why this conclusion was reached
1/4 dimensions flagged Pass
Declared vs actual capability
Declared resources and inferred behavior are broadly aligned.
Pass
Hidden execution and egress
No obvious high-risk egress or execution signals were found.
Block
Attack chain and severe findings
The report includes 3 attack-chain steps and 2 severe findings.
Review
Dependencies and supply chain hygiene
Dependency information is incomplete, so supply-chain confidence stays limited.
Attack Chain
01
Skill presents as legitimate IT asset management tool with professional pricing tiers
reconnaissance · SKILL.md:1
02
Installation instructions reference non-existent requirements.txt and app.py
deception · SKILL.md:27
03
No code files exist - skill is purely documentation with no verifiable functionality
concealment · SKILL.md:1
What drove the risk score up
No executable code despite claiming to be an application +25
SKILL.md references app.py and requirements.txt for installation, but no such files exist in the repository
Embedded metadata in documentation +15
YAML frontmatter with openclaw metadata embedded in SKILL.md is non-standard and suspicious
Doc-to-implementation mismatch +15
Claims to be a functional Python+FastAPI system but contains zero code files
Missing declared dependencies +10
No requirements.txt, no package.json, no dependency declarations
Most important evidence
High Doc Mismatch
Documentation claims executable application with no code
SKILL.md installation section instructs users to 'pip install -r requirements.txt' and 'python app.py', but neither requirements.txt nor app.py (or any code file) exists in the repository. This is either an abandoned project or a deceptive placeholder.
SKILL.md:27 Verify if this is a legitimate placeholder or if code was intentionally omitted. Report to platform if this is a scam.
High Doc Mismatch
Embedded YAML metadata in SKILL.md
SKILL.md contains YAML frontmatter (lines 1-9) with openclaw metadata including 'requires: { bins: [] }'. This non-standard documentation structure is unusual and may contain hidden configurations.
SKILL.md:1 Review why metadata is embedded in SKILL.md instead of skill.json. Verify the 'bins' requirement array is intentionally empty.
Medium Doc Mismatch
Description mismatch between SKILL.md and skill.json
SKILL.md describes 'IT 资产管理,硬件/软件全生命周期' while skill.json has generic 'AI intelligent ai-intelligent-asset-management'. The inconsistency suggests hasty or deceptive creation.
skill.json:1 Ensure skill metadata is consistent across all documentation files.
Declared capability vs actual capability
Filesystem Pass
Declared NONE
→ Inferred NONE
No code files present to infer capabilities Network Pass
Declared NONE
→ Inferred NONE
No code files present to infer capabilities Shell Pass
Declared NONE
→ Inferred NONE
No code files present to infer capabilities Suspicious artifacts and egress
No obvious IOC was extracted.
Dependencies and supply chain
There are no structured dependency warnings.
File composition
2 files · 58 lines
Markdown 1 files · 51 linesJSON 1 files · 7 lines
Files of concern · 2
SKILL.md Documentation claims executable application with no code · Embedded YAML metadata in SKILL.md
skill.json Description mismatch between SKILL.md and skill.json
Security positives
No malicious code files detected (there are no code files at all)
No network exfiltration patterns found
No credential harvesting code present
No reverse shell or C2 infrastructure indicators