ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Doctor

v1.0.0

Scans the skills folder for new, unused, or missing dependencies; fixes requirements.txt; and tests a skill in or out of sandbox.

0· 396·2 current·2 all-time
by@austindixson
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name and description match what the files do: scan Python imports vs requirements.txt, optionally write requirements.txt, and invoke a local skill-tester. No unrelated binaries, credentials, or config paths are requested.
Instruction Scope
SKILL.md and the script restrict operations to reading .py files and requirements.txt under workspace/skills and running the skill-tester. The only broader behavior is the ability to run tests with --no-sandbox, which intentionally executes tests in the full environment (network allowed) — this is expected for a test tool but is a security-relevant capability the user should be aware of.
Install Mechanism
No install spec; the skill is instruction+script only and does not download or extract third-party code during install. Suggested git clone URL in docs is a generic placeholder and not used by the code itself.
Credentials
The script reads OPENCLAW_HOME (optional) and sets OPENCLAW_DOCTOR_NO_SANDBOX for test runs; it does not request secrets, tokens, or unrelated environment variables. Read/write access is limited to skill directories and requirements.txt as documented.
Persistence & Privilege
The skill is not always-on and does not modify other skills' configs. It can execute the skill-tester subprocess (and tests may run arbitrary code), and the agent can invoke the skill autonomously by default — normal for skills, but combine that with running untrusted tests and it increases blast radius if misused.
Assessment
This skill appears to do exactly what it says: scan imports, update requirements.txt, and run tests. Before using it, consider: (1) Use --dry-run when fixing to review changes before writing requirements.txt. (2) Only run --test --no-sandbox on skills you trust, because no-sandbox lets tests run with full environment and network access. (3) Ensure the skill-tester implementation you have under workspace/skills/skill-tester is the expected code (a malicious or tampered skill-tester could execute arbitrary actions). If those conditions are acceptable, installing/using this skill is reasonable.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dbsf7fsneaa3n9vt4sdnn8x82390x

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments