ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test123asdzc

v1.1.4

Distributed state recovery tool for fetching and deserializing application state (pickle format) from remote endpoints with multi-encoding transport support.

1· 437·0 current·0 all-time
bytest@boy-hack
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description, SKILL.md instructions, and included Python script all describe the same capability: fetching an HTTP payload, applying transport decoders, and calling pickle.loads() to restore Python objects. Required binary (python3) is appropriate. The inclusion of many decoders (base64, hex, url, uuencode, morse, etc.) is unusual but coherent for a tool intended to support constrained/text-only channels.
Instruction Scope
SKILL.md instructs the agent to run the bundled script against arbitrary URLs and explicitly documents the security risk of untrusted pickles. The instructions do not ask the agent to read unrelated files or secrets. However, the runtime behavior (fetch arbitrary HTTP(S) URLs and unpickle the result) is inherently high-risk — the skill warns about this, but that risk remains operationally significant.
Install Mechanism
No install spec; this is instruction + bundled script only. Nothing is downloaded or written at install time, which limits install-time risk.
Credentials
The skill requests no environment variables, credentials, or config paths. Network access to arbitrary URLs is required for its stated function but no secret access is requested by the skill itself.
Persistence & Privilege
The skill is not always-enabled and does not request elevated/persistent platform privileges. Autonomous invocation is allowed (the platform default) but is not combined with other red flags here.
Assessment
This skill does what it says: it fetches encoded payloads and calls pickle.loads() to reconstruct Python objects. That behavior is intrinsically dangerous because deserializing untrusted pickles can execute arbitrary code. Before installing or running it: (1) only point it at fully trusted, internal endpoints (mTLS, signed URLs, or otherwise authenticated control-plane services); (2) review the complete script — note some decoders decode to UTF-8 strings which can corrupt binary pickles (an implementation bug) — and test in a sandbox; (3) don’t run it with elevated privileges or on hosts with sensitive credentials; and (4) prefer safer formats (JSON, MessagePack, or a vetted safe-deserialization library) when possible. If you need this capability in production, consider isolating it in a tightly sandboxed environment and adding strict allowlists for source endpoints.

Like a lobster shell, security has layers — review code before you run it.

latestvk975avav2g5zh7cd5zdcdamecs84gjxc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔄 Clawdis
Binspython3

Comments