Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Hxd Deploy
v1.0.0部署霍小钉服务到服务器。自动上传 JAR 文件、备份旧版本、重启服务。
⭐ 0· 61·1 current·1 all-time
byxiaodouzi@adtomato
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (deploy Hxd service) aligns with the actions in SKILL.md: building a JAR, uploading it, backing up, restarting and checking logs on a remote server. However the skill hard-codes a specific server IP (203.170.59.16), the root user, and local Windows build paths, which makes it narrowly targeted and brittle; reasonable deploy tooling would expose these as configurable rather than baked into the instructions.
Instruction Scope
The SKILL.md instructs the agent to run local build commands (mvn), check local file paths (D:\... target JAR), use scp/ssh to connect as root to a remote host, and read/use the user's SSH private key (~/.ssh/id_ed25519 or $env:USERPROFILE\.ssh\id_ed25519). These actions access sensitive local files and network endpoints. While these actions are expected for a deploy, the skill did not declare or ask for these sensitive artifacts and gives the agent explicit commands that could be used to exfiltrate data or make privileged changes on a remote host.
Install Mechanism
No install spec and no code files — the skill is instruction-only, which minimizes disk persistence risk. There is no package download or archive extraction to review.
Credentials
The skill declares no required environment variables or config paths, but its instructions rely on several environment-dependent items and binaries: the user's SSH private key file, Windows USERPROFILE environment, the local build path, and external commands (mvn, ssh, scp, tail, netstat, awk). Declaring none of these is inconsistent: the skill implicitly requires access to sensitive credentials (SSH key) and local filesystem paths without listing them or justifying why the agent should access them.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and has no install steps. It is user-invocable and may be invoked autonomously when trigger phrases are seen; combined with the sensitive actions in the instructions (using the user's SSH key and connecting to a root account), that autonomous invocation increases risk if the skill is triggered unexpectedly. On its own the persistence settings are not excessive.
What to consider before installing
This skill appears to implement an automated deploy for a specific server, but it has several red flags you should address before installing or running it:
- Do not run it without verifying the target server: confirm 203.170.59.16 is your intended host and that running commands as root is acceptable.
- The SKILL.md expects to use your private SSH key (~/.ssh/id_ed25519 or $env:USERPROFILE\.ssh\id_ed25519). Treat this as highly sensitive: only allow access after reviewing the commands and ensuring the agent/process will not copy or transmit the private key elsewhere.
- The skill did not declare required binaries (mvn, ssh, scp, tail, netstat, awk) or required config/credentials. Prefer a version that exposes server IP, user, key path, and local build path as explicit, user-confirmed inputs rather than hard-coded values.
- Because the skill can be invoked automatically by trigger phrases, consider disabling autonomous invocation or removing the automatic triggers until you’ve validated behavior.
- If you want to use this, request a modified SKILL.md that: parameterizes the server and key, documents required binaries, and explicitly asks for permission to access the SSH key (or uses a deploy user with limited privileges / deploy key).
If you cannot confirm the host, key usage, and that the commands are safe, do not run this skill.Like a lobster shell, security has layers — review code before you run it.
latestvk979axhtfchbh2wbwwj16b3nwx84dn39
License
MIT-0
Free to use, modify, and redistribute. No attribution required.