Skillv1.0.0

ClawScan security

done · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 10, 2026, 2:51 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill is an on-disk installer that mostly matches its description, but it uses hardcoded Windows paths and performs unsafe ZIP extraction and file operations that could overwrite or delete arbitrary files — review before running.
Guidance: This installer largely does what it says, but you should not run it blindly. Specific concerns: - The code uses zipfile.extractall without sanitizing filenames; a crafted ZIP can include absolute paths or ../ segments and overwrite files outside the temp directory. This can enable file overwrite or deletion on your system. - The installer uses a hardcoded Windows path (/mnt/c/Users/yanha/...), so it may operate on the wrong user's Desktop or fail on your machine. - The SKILL.md's name field is used directly as the destination folder name; a malicious name could cause unexpected paths. - The installer deletes existing skill folders (shutil.rmtree) before copying — you can lose data if the target is misresolved. What to do before installing: - Inspect the ZIP contents manually (or list its entries) before running the installer. - Run the installer in a safe/isolated environment (non-privileged account, VM) or after backing up your Desktop and skills directories. - If you plan to use this tool regularly, modify the code to: validate/sanitize ZIP member paths, refuse absolute or parent-traversal paths, canonicalize and constrain destination paths to a safe base directory, and replace the hardcoded Windows username with a dynamic lookup or configuration option. - Do not run this with elevated privileges. If the author can provide a version that safely validates archives and uses configurable target paths, re-evaluate for lower risk.

Review Dimensions

Purpose & Capability: noteName and description match the code: it extracts a ZIP and copies its contents into a WSL skills directory and a Windows Desktop 'skills' folder. However the code uses a hardcoded Windows user path (/mnt/c/Users/yanha/...), which is not explained by the metadata and is not appropriate for a general-purpose tool. This is inconsistent (works only for a specific username) and may lead to unexpected behavior on other machines.
Instruction Scope: concernSKILL.md and install.py instruct the agent to read the provided ZIP, parse SKILL.md from inside it, and copy files into user locations (WSL ~/.openclaw/... and Windows Desktop). The installer deletes existing target directories and copies files recursively. The code uses zipfile.extractall without sanitizing archive entries, and it uses the extracted SKILL.md's name field as the destination folder name — both allow path traversal or malicious archive contents to overwrite or create files outside the intended directories.
Install Mechanism: okNo external install steps or network downloads are used; the skill is instruction/code-only and runs locally. There is no download-from-URL or third-party package installation, which reduces supply-chain risk.
Credentials: noteThe skill declares no required environment variables or credentials, which is consistent, but the code hardcodes Windows paths for a specific user ('yanha') and also assumes WSL mount points. That is a disproportionate and brittle assumption and may cause files to be written to unintended locations or fail silently if paths don't exist.
Persistence & Privilege: concernThe skill is not force-installed (always:false) and does not modify other skill configs, but it performs destructive filesystem operations: removing existing skill directories (shutil.rmtree) and copying archives into user directories. Combined with the unsafe extraction and use of SKILL.md name as a path, this grants it a high potential to overwrite/delete user files on both WSL and the Windows desktop.