ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawshell 0.1.0

v1.0.0

Human-in-the-loop security layer. Intercepts high-risk commands and requires push notification approval.

0· 1.6k·0 current·2 all-time
by@lucky-2968
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md promises a clawshell_bash tool that intercepts and mediates shell commands, but the skill bundle contains no executable, no implementation files, and no install spec. It declares node and Pushover env vars (which are consistent with sending push notifications), but there is no local code to actually perform interception; instead the README instructs the operator to run `npm install` to fetch dependencies — an unexpected shift of responsibility and a mismatch between described capability and provided artifacts.
!
Instruction Scope
Runtime instructions tell the operator/agent to run `npm install` in the skill directory and to add clawshell_bash to TOOLS.md so the agent uses it for all shell execution. Those steps implicitly require downloading and executing third-party code to implement the promised behavior. The instructions also suggest writing secrets to a .env file and modifying the agent's TOOLS.md (which affects global agent behavior). The instructions do not provide implementation details or safe validation steps before executing remote code.
!
Install Mechanism
There is no declared install spec, but the SKILL.md explicitly instructs running `npm install`. The included package.json is minimal and depends on a package named `package-lock.json` (odd and unexpected). The lock files point to a public npm package — instructing an operator to run `npm install` will fetch code from the public registry, which can execute arbitrary install scripts. Because the skill bundle contains no local implementation, running npm install is the only way to obtain the runtime code — that introduces a download-from-registry risk that is not vetted by the skill metadata.
Credentials
The two required env vars (CLAWSHELL_PUSHOVER_USER and CLAWSHELL_PUSHOVER_TOKEN) are consistent with the stated use of Pushover for approval notifications. The SKILL.md also mentions optional Telegram variables (CLAWSHELL_TELEGRAM_*), which are not declared as required — this is a minor inconsistency but not by itself malicious. Requiring push-notification credentials is proportional to the described functionality, but exposing those credentials to unreviewed code (via npm install) would be risky.
Persistence & Privilege
The skill does not request always:true, does not request system-wide config changes programmatically in its metadata, and is user-invocable only. The SKILL.md asks you to manually edit TOOLS.md to route shell commands through clawshell_bash, which is a manual, visible change rather than a hidden privilege escalation. Autonomous invocation is allowed (the platform default) but is not combined with other high-privilege flags.
What to consider before installing
This skill is internally inconsistent: it promises a shell-intercepting tool but supplies no implementation and tells you to run `npm install` to fetch code from the registry. Do NOT run npm install or provide your Pushover (or other) tokens until you verify the runtime code. Steps to consider before installing: - Ask the publisher for the source code or a trusted release (git repo or release tarball) and verify it matches the SKILL.md behavior. - Inspect the actual JavaScript code and any install scripts (preinstall/postinstall) before running npm install. - If you must test, run it in a fully isolated sandbox with no access to real credentials and no network access to sensitive hosts. - Prefer skills that include their implementation or a verifiable release URL; avoid running npm install based on an opaque package.json/lock that appears malformed. - If you install, do not store production Pushover tokens in the .env file until the code has been audited; create a test token instead. Given the mismatch between claim and artifacts, proceed cautiously — the skill is suspicious but not provably malicious without further inspection.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f61gsrp1460022a9jzyc0z980g98r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvCLAWSHELL_PUSHOVER_USER, CLAWSHELL_PUSHOVER_TOKEN
Primary envCLAWSHELL_PUSHOVER_USER

Comments