ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Kazakh IME

v1.3.0

为 OpenClaw 和网页提供哈萨克语输入法,支持英文、阿拉伯文和西里尔文三种输入模式及虚拟键盘切换。

0· 61·1 current·1 all-time
by@ayden76
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (Kazakh IME) match the provided artifacts: SKILL.md documents keyboard modes, mappings, UI and install steps and the included JS implements DOM hooks, virtual keyboard, mappings and mutation observer. Requiring filesystem write access to the OpenClaw UI (to add the JS and edit index.html) is consistent with installing a client-side IME.
Instruction Scope
Runtime instructions are limited to copying a JS file into the OpenClaw control UI and adding a <script> tag; they do not request environment variables or remote endpoints. However, because the IME necessarily intercepts keyboard events in pages, it can read typed text in inputs/textarea (this is expected for an IME and not flagged in the skill, but is an inherent privacy risk). The install snippets use Windows/Administrator paths, which are platform-specific and assume file-system write access.
Install Mechanism
There is no automated install/spec that downloads remote code; installation is manual (copy file + edit HTML). No URLs for downloads or archive extraction are used in the install instructions, which reduces supply-chain risk.
Credentials
The skill declares no environment variables, no credentials, and no config paths. That is proportionate to a client-side IME which only needs to run in the browser page context.
Persistence & Privilege
The skill does not set always:true and allows normal autonomous invocation. The install instructions modify the application's HTML (index.html in OpenClaw control-ui), which grants the script persistent execution within that UI — this is typical for a UI plugin but does require filesystem write permissions and means the script will run in the app's context thereafter.
Assessment
This skill appears coherent for a browser-based IME, but installing a script into an app's UI gives it runtime access to typed input. Before installing: (1) review the full openclaw-kazakh-ime.js file for any network calls, eval/Function usage, obfuscated strings, or code that sends data off-host; (2) verify the GitHub repository and that the source matches the packaged JS; (3) back up the index.html you will edit and test the script in an isolated environment or non-production profile; (4) confirm the script does not attach to password inputs or other sensitive fields (and if needed, modify it to ignore input[type=password] and other sensitive selectors); (5) prefer installing via an official plugin mechanism or vetted distribution if available. If you want, I can scan the full JS for network/XHR/fetch usage and suspicious patterns or summarize any risky code paths.

Like a lobster shell, security has layers — review code before you run it.

imevk9772qh0t1pp3y9252eetgwjn584an50inputvk9772qh0t1pp3y9252eetgwjn584an50kazakhvk9772qh0t1pp3y9252eetgwjn584an50latestvk9772qh0t1pp3y9252eetgwjn584an50

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments