ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Investigator

Investigate public online footprints using open-source intelligence techniques. Use when a user wants to research a username, email, person, company, domain,...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 24 · 0 current installs · 0 all-time installs
by@Elyasuuuuu
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the included scripts and references: username/email/domain/IP/profile checks, optional HIBP breach checks, variant generation, aggregation and report building. Optional API integrations (HIBP, Shodan, Google Maps, Hunter) are documented and make sense for OSINT enrichment.
!
Instruction Scope
SKILL.md restricts activity to public data and points to specific helper scripts and web_search/web_fetch; however several scripts (notably scripts/check_domain.py) invoke shell commands via subprocess.check_output(['bash','-lc', f'whois {domain} | ...']) and use dig/ whois through shell. Those commands interpolate unsanitized user input into a shell command, creating a risk of command injection if the skill or agent invokes these scripts with attacker-controlled input. Scripts also perform network calls to third-party endpoints (ipinfo, ip-api, rdap, HIBP), which is expected for OSINT but means data about investigated inputs will be sent externally. The SKILL.md does not explicitly require input sanitization or warn about shell invocation risks.
Install Mechanism
No install spec (instruction-only) — low install risk. The bundle includes Python scripts that depend on the requests library and system utilities (whois, dig) if available. Because there's no install step, files are present but not automatically executed on install; execution happens at runtime when the agent follows SKILL.md.
Credentials
The skill declares no required environment variables, which is coherent. It documents optional API keys (HIBP_API_KEY, SHODAN_API_KEY, GOOGLE_MAPS_API_KEY, HUNTER_API_KEY). check_hibp.py will read HIBP_API_KEY from the environment or from a local secret file at ~/.openclaw/secrets/hibp_api_key — this is reasonable for optional breach checks but does mean the skill can access a local secrets file if present. No unrelated credentials are requested.
Persistence & Privilege
always is false; the skill does not request persistent presence or attempt to modify other skills or system-wide agent settings. It reads optional local secret files only if configured, which is documented.
Scan Findings in Context
[subprocess-shell-invocation] unexpected: scripts/check_domain.py uses subprocess.check_output with ['bash', '-lc', f'whois {domain} | sed -n "1,80p"'] and similar dig commands. While whois/dig usage is reasonable for domain enrichment, invoking them via a shell with unsanitized domain interpolation can allow command injection. Safer patterns (avoid shell, pass args as list, or sanitize input) are recommended.
[reads-local-secret-file] expected: scripts/check_hibp.py reads HIBP_API_KEY from environment or ~/.openclaw/secrets/hibp_api_key. Reading a local secret file for an optional HIBP API key is expected for the documented HIBP integration, but users should be aware the script will access that path if present.
[external-network-calls] expected: Multiple scripts perform HTTP requests to external services (rdap.org, haveibeenpwned.com, ipinfo.io, ip-api.com, and platform profile pages). This is expected for OSINT, but means investigated inputs and derived requests will be transmitted to third parties.
[subprocess-availability-dependence] expected: scripts/check_domain.py checks for 'whois' via shutil.which and falls back to a message if not present. The skill relies on optional system binaries (whois, dig) which may not be available in all runtimes.
What to consider before installing
This skill appears coherent for defensive OSINT, but review and take precautions before enabling it: 1) Audit or sandbox execution because check_domain.py runs shell commands via bash -lc with interpolated inputs — that can lead to command injection if untrusted input is passed. Prefer running the scripts only on trusted inputs or modifying them to avoid shell interpolation (use subprocess with argument lists or Python DNS/WHOIS libraries). 2) Be aware the scripts make outbound network calls (RDAP, IP info services, HIBP, platform profile pages) so investigated identifiers will be looked up externally. 3) Only provide optional API keys (HIBP/SHODAN/GOOGLE_MAPS/HUNTER) if you trust the skill; it will read HIBP_API_KEY from your environment or ~/.openclaw/secrets/hibp_api_key if present. 4) Ensure the runtime has the needed Python dependencies (requests) and, if you prefer, replace shell-based whois/dig calls with safer library calls. If you cannot audit or sandbox the code, consider treating this skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

Current versionv2.1.0
Download zip
latestvk970dazsqkgvdxph6a9gjscsgd830yv5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OSINT Investigator

Use this skill for broad public-footprint OSINT.

Supported target types include:

  • username / handle
  • email address
  • person / alias
  • organisation / company
  • domain / website
  • IP address
  • phone number
  • location / address
  • image

Read as needed:

  • references/target-types.md for classification
  • references/workflow.md for investigation flow
  • references/modules.md for module selection
  • references/osint-sources.md for source categories
  • references/platforms.md for target platforms and search ideas
  • references/platform-validation.md for platform-specific validation rules
  • references/profile-media.md for profile image handling
  • references/scoring.md for confidence logic
  • references/aggregation.md for overall scoring and result merging
  • references/variants.md for handle-variant generation
  • references/tooling.md for lightweight discovery helpers
  • references/breach-checks.md for optional defensive breach lookup behavior
  • references/apis.md for optional API enrichment
  • references/configuration.md for HIBP API key setup
  • references/report-format.md for structured reporting
  • references/safety.md for acceptable-use boundaries
  • references/output.md for response structure

Use scripts when helpful:

  • scripts/generate_variants.py for plausible username variants
  • scripts/check_profiles.py for first-pass platform checks with platform-aware validation
  • scripts/check_hibp.py for optional Have I Been Pwned email checks
  • scripts/check_domain.py for lightweight domain enrichment
  • scripts/check_ip.py for lightweight IP enrichment
  • scripts/aggregate_results.py to merge findings into a scored summary
  • scripts/export_json.py for structured JSON output
  • scripts/build_report.py for compact report generation from structured results

Use web_search and web_fetch to confirm weak findings, enrich strong ones, and gather public evidence when helper-script results alone are ambiguous.

Core behavior

  • Focus on public data only.
  • Prefer lightweight verification over aggressive scraping.
  • A 200 HTTP status is not enough to confirm a profile.
  • Separate facts from guesses.
  • Report confidence, not certainty.
  • Keep results structured and easy to audit.
  • Prefer a smaller set of verified findings over a noisy wall of guesses.
  • Run only the modules relevant to the target.

Workflow

  1. Classify the target using references/target-types.md.
  2. Normalize the input.
  3. Select relevant modules using references/modules.md.
  4. Run lightweight helper scripts where useful.
  5. Use targeted web search to confirm or enrich weak and likely matches.
  6. Capture final links and public profile image URLs when available.
  7. If an email is provided and HIBP is configured, run a defensive breach check.
  8. For domains or IPs, run the relevant lightweight helper.
  9. Record exact matches, likely matches, weak matches, no-results, and not-verifiable results.
  10. Compare public signals across findings.
  11. Aggregate the findings into a scored summary using scripts/aggregate_results.py and references/aggregation.md.
  12. Return a concise human summary or a structured report depending on the request.
  13. Export JSON if requested.

Output rules

Always distinguish between:

  • confirmed public match
  • likely match
  • weak/uncertain match
  • not verifiable
  • no evidence found

Include final links for meaningful findings. Include profile image links only when they are publicly exposed and easy to extract. If HIBP is used, report breach results as defensive exposure information, not identity proof. If using domain/IP helpers, treat them as enrichment, not full attribution.

Do not overclaim identity resolution. If evidence is thin, say so clearly. If evidence conflicts, say so clearly. Lead with the strongest public evidence first. Prefer the compact format by default; use an extended report only when the user asks for depth.

Safety

Read references/safety.md when the request could drift into harassment, private-person targeting, or invasive tracking.

Do not help with:

  • credential theft
  • account takeover
  • bypassing access controls
  • doxxing
  • stalking or targeted harassment
  • collecting non-public personal data
  • invasive private-person targeting

Style

  • concise
  • factual
  • audit-friendly
  • explicit about uncertainty

Files

27 total
Select a file
Select a file to preview.

Comments

Loading comments…