Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
mihomo Proxy Manager
v0.2.0Manage mihomo proxy - install, configure from subscriptions, monitor health, auto-switch nodes. Supports vmess/ss/trojan/vless protocols.
⭐ 0· 48·0 current·0 all-time
by傅洋@4ier
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match implementation: code implements installing mihomo, parsing subscriptions (vmess/ss/trojan/vless), generating YAML configs, starting/stopping the daemon and running a watchdog. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructions accurately reflect runtime behavior (install, config, add, start/stop, watch). One omission: SKILL.md does not explicitly say that installing may require sudo or will create system services/launch agents; the code attempts to write systemd unit files (via sudo tee) and/or user launch agents.
Install Mechanism
No OpenClaw install spec, but the package code downloads binaries from GitHub releases (https://api.github.com/repos/MetaCubeX/mihomo/releases/latest) and extracts them locally — GitHub releases is a standard host, but this involves extracting and placing executables on disk and running shell tools (gunzip/unzip/mv).
Credentials
The skill requests no special environment variables or secrets. It uses standard OS config paths (XDG_CONFIG_HOME/APPDATA) and home directory. It does reference process.env values for locating config dirs but does not require unrelated credentials.
Persistence & Privilege
The skill does not force permanent inclusion (always:false). However, the installer can create system-level services (writes to /etc/systemd/system via sudo) or user launch agents and may set service capabilities (AmbientCapabilities in the unit). Installing as a service or extracting an executable requires elevated actions and is therefore privileged in effect.
Assessment
This skill appears to do what it says: it downloads the mihomo release from GitHub, writes config files under your home config directory, and can install a systemd/launchd service (it may prompt for sudo). Consider these before installing: (1) installing will place and execute a downloaded binary — verify the upstream project/release and checksum if possible; (2) the installer may attempt to write a system service and request sudo, and the service unit requests network capabilities (CAP_NET_ADMIN/CAP_NET_RAW) which are powerful; (3) run the installer in a controlled environment (VM/container) or inspect the downloaded asset first if you distrust the upstream binary; (4) SKILL.md does not mention the sudo/systemd actions explicitly, so expect privilege escalation during installation. If you want minimal risk, use the skill only to generate config files (config/add) and avoid running the install/start commands that install/execute the mihomo binary.src/configure.js:132
Shell command execution detected (child_process).
src/install.js:65
Shell command execution detected (child_process).
src/platform.js:39
Shell command execution detected (child_process).
src/service.js:40
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk971267tjw6mt4mhdqkh58g011842g6h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.