Best practices for AI agents - Cursor, Claude, ChatGPT, Copilot. Avoid common mistakes. Confirms before executing, drafts before publishing. Vibe-coding essential.
Security Analysis
high confidenceThis is an instruction-only best-practices skill whose declared requirements and runtime instructions are consistent with its stated purpose and do not request credentials or perform installs themselves.
The name/description (agent best-practices) matches the content of SKILL.md and README. The skill requests no binaries, credentials, or config paths that would be unnecessary for a guidance document. Minor metadata inconsistencies exist (package.json author/homepage entries vs registry metadata), but these are bookkeeping issues, not security mismatches.
SKILL.md stays on-topic (confirm before executing, ask clarifying questions, stop on user STOP, etc.). It does recommend changing OpenClaw agent config to enable memoryFlush and sessionMemory (openclaw config patch), which is within the realm of an agent-behavior guide but has privacy/retention implications because it increases what the agent can store and search across sessions. The skill does not instruct reading unrelated system files or exfiltrating data.
There is no install spec embedded in the skill bundle (instruction-only), so nothing is downloaded or written by the skill itself. The README/SKILL.md suggest installing via clawdhub or npm, which is normal; if you choose to install, verify the package source (GitHub/npm) before running those external installers. SKILL.md contains a minor typo/inconsistency in the example clawdhub install command (comma-separated string), but that is non-malicious.
The skill requires no environment variables, credentials, or config paths. It does not ask for tokens, keys, or secrets, so there is no disproportionate credential request.
The skill recommends enabling session memory and memoryFlush via openclaw config patch, which increases the agent's ability to persist and search past session transcripts. The package does not set always:true and does not autonomously change agent settings itself, but the recommendation is a configuration change the user should consciously opt into because it affects long-term data retention and searchability.
Guidance
This skill is an instruction-only best-practices guide and appears coherent with its stated purpose. Before installing or applying its recommended config changes: 1) Verify the publisher/source (check the GitHub repo and npm listing) to ensure you're installing the expected package. 2) Be cautious about enabling sessionMemory/memoryFlush—doing so increases what the agent stores and can search across sessions; confirm this behavior is acceptable for your privacy/security needs. 3) If you use the suggested install commands, fix the minor typo (use the correct package name) and confirm the package identity (checksum or repo) when possible. 4) No credentials are requested by the skill itself, but always review any third-party code you install for hidden behavior.
Latest Release
v1.1.3
- Skill renamed from "moltbot, openclaw-best-practices" to "moltbot-best-practices" - Description and keywords updated for clarity and broader tool coverage (now mentions ChatGPT, Copilot, GitHub Copilot, developer/dev tools, TypeScript, LLM) - Minor text and formatting tweaks for conciseness and consistency in SKILL.md - Version bumped to 1.1.3
More by @NextFrontierBuilds
Published by @NextFrontierBuilds on ClawHub
