bounty-hunter-starter

SUSPICIOUS: the stated purpose is plausible, but the installation method is disproportionate for a rules/workflow skill. The main risk is supply-chain trust: an unreviewed install.sh from a personal repo, outside the official OpenClaw installation path, with no verification or provenance evidence. No direct credential theft or malicious data exfiltration is visible from the provided text, but the install boundary is too opaque to treat as benign.

SUSPICIOUS: the stated purpose is a benign OpenClaw rules pack, but the actual install path relies on unverified shell scripts from a personal GitHub repo and does not match the official documented skill installation method. No direct credential theft or exfiltration is shown in the provided text, so this is not confirmed malware, but the opaque download-and-execute footprint is disproportionate for a configuration/rules skill.