ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Egress

v1.0.2

Network data loss prevention for agent workspaces. Scans skills and files for outbound URLs, data exfiltration endpoints, suspicious domains, and network function calls. Maps every external connection. Free alert layer — upgrade to openclaw-egress-pro for blocking, quarantine, and URL allowlists.

0· 1.5k·2 current·2 all-time
by@atlaspa
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code's scanning capabilities (URL detection, network-call heuristics). Requiring only python3 is proportionate. However, the package also contains constants and helper functions for quarantine and allowlist persistence (QUARANTINE_PREFIX, BLOCK_COMMENT, save_allowlist) which go beyond a read-only scanner and are not clearly declared in SKILL.md's 'free alert' description.
!
Instruction Scope
SKILL.md documents only scanning, domain listing, and status commands and promises 'everything runs locally' with no external I/O. The script's header and constants indicate functionality to quarantine skills and enforce allowlists (which implies modifying files/directories). The instructions do not warn that running the script could rename directories, write .egress-allowlist.json, insert block comments, or otherwise modify workspace/skills.
Install Mechanism
No install spec; the skill is shipped as a script and README. That's low-risk from supply-chain/remote-download perspective. It does include an actual script file (not instruction-only), so there is executable code to review.
!
Credentials
The skill requests no credentials and only python3, which is appropriate for scanning. However the script reads and writes inside the user's workspace (loads/saves an allowlist file and likely can quarantine/modify other skill directories). That level of filesystem write access should be explicitly declared and justified; it is not surfaced clearly in the SKILL.md usage examples.
!
Persistence & Privilege
The skill is not always-enabled and not force-installed, which is good. However the code appears able to modify other skills (quarantine via directory rename/prefix and potentially inject block comments) and to persist an allowlist in the workspace. Modifying other skills' files or directories without an explicit, visible opt-in is a privileged action and a notable risk.
Scan Findings in Context
[network_call_detection_patterns] expected: The script includes regexes and heuristics to detect network libraries, curl/wget, and outbound URLs — this is expected for a DLP/egress scanner.
[allowlist_persistence_write] unexpected: The script defines ALLOWLIST_FILE and implements save_allowlist/load_allowlist to write .egress-allowlist.json into the workspace. The SKILL.md promised 'free alert' with pro features for allowlists; persistent writes should be explicitly documented and opt-in.
[quarantine_modification_capability] unexpected: Constants like QUARANTINE_PREFIX and BLOCK_COMMENT plus header text mentioning 'quarantine' and 'block' indicate the script is capable of modifying or renaming other skill directories and adding block comments — behavior not clearly declared in runtime instructions.
What to consider before installing
This skill largely does what it says — scanning for outbound URLs and network calls — but the bundled script contains code paths for saving an allowlist and for quarantining/modifying skills (renaming directories, inserting block comments). The SKILL.md and README emphasize 'alert-only' for the free version yet the code includes modification capabilities; source/homepage are not provided. Before installing or running: (1) review the full scripts (search for rename/move, os.remove, shutil.move, write/open calls that change other directories), (2) run scans on a copy or a non-production workspace first, (3) back up your workspace/skills, (4) prefer running with --skills-only and in read-only mode if available, and (5) avoid granting broad write access if you don’t trust the source. If you need absolute assurance, ask the publisher for a provenance URL or a signed release and/or run the script in an isolated container or VM.

Like a lobster shell, security has layers — review code before you run it.

latestvk979dk9fvbh3sfxjkg5m2qg7v5810ted

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🌐 Clawdis
OSmacOS · Linux · Windows
Binspython3

Comments