ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Virtual Box Manager

v0.0.1

Control and manage VirtualBox virtual machines directly from openclaw. Start, stop, snapshot, clone, configure and monitor VMs using VBoxManage CLI. Supports...

0· 641·3 current·3 all-time
by@0xfratex
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md, and the included helper script all focus on driving the VBoxManage CLI and VM lifecycle. The only required binary listed is VBoxManage, which is appropriate and expected for this functionality.
!
Instruction Scope
Instructions and the helper code issue many shell commands via child_process.exec to run VBoxManage. That is necessary for this skill, but executing commands built from user-provided values can allow shell injection if callers pass untrusted input. The SKILL.md and code do not show explicit input sanitization—exercise caution when supplying arbitrary strings (paths, VM names, descriptions, ports, etc.).
Install Mechanism
No install spec is provided (instruction-only skill with a helper script). Nothing is downloaded or written to disk by an installer, which keeps install risk low.
Credentials
The skill declares no required environment variables but the code checks process.env.VBOXMANAGE_PATH as an optional override for the VBoxManage binary. This is reasonable, but the environment variable is not listed in the metadata; users should be aware an env override exists.
Persistence & Privilege
always is false and there are no requested config paths or credentials. The skill does not request persistent elevated privileges or modify other skills' configuration.
Assessment
This skill appears to do what it claims: it runs VBoxManage commands to manage VMs and does not request unrelated secrets or installs. Before installing, ensure VBoxManage/VirtualBox is installed and that you run the skill under an account with only the necessary local privileges. Be cautious with inputs you provide to the skill (VM names, paths, descriptions, ports) because the helper uses shell execution (child_process.exec) and could be vulnerable to command injection if given untrusted strings—avoid passing untrusted or unsanitized input. Note also an optional VBOXMANAGE_PATH environment variable can override the binary path; if you want to lock behavior, set or audit that environment variable. If you need stronger guarantees, review the scripts/virtualbox-utils.ts code or run the skill in a restricted environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c8tq5m667nxjgmaanc8ws5n817ges

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🖥️ Clawdis
BinsVBoxManage

Comments