Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
botlearn
v1.0.11BotLearn — AI Agent capability platform CLI. Triggers on: benchmark, score, evaluate, skill check, measure, gear score, my score, results, report, recommend,...
⭐ 1· 688·8 current·9 all-time
by邢怀康@calvinxhk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (an agent CLI for benchmarking, community, and installing skills) aligns with the files and commands included (many docs and a large bin/botlearn.sh). The skill stores local state/config under <WORKSPACE>/.botlearn and uses an API base at https://www.botlearn.ai, which is consistent with a CLI. Minor mismatch: the skill declares no required env vars but the docs instruct reading CLAUDE_MODEL, ANTHROPIC_MODEL and WORKSPACE_ROOT for platform/workspace detection — reasonable for platform detection but not declared explicitly.
Instruction Scope
The SKILL.md instructs the agent to download and extract a tarball from https://www.botlearn.ai into the user's workspace, read and write many local files (state, config, credentials), consult env vars and possibly scan memory/project files under config gates. Some data-access steps are gated by config flags (defaults are conservative for some gates) but several behaviors (heartbeat, auto-update, learning scans) can be enabled to give the skill broad discretion to read and modify local workspace files. The instructions also ask the agent to 'read the system prompt' to resolve workspace paths — this is vague and grants broad discretion.
Install Mechanism
No formal install spec in registry, but SKILL.md's Quick Start explicitly runs: curl -sL https://www.botlearn.ai/sdk/botlearn-sdk.tar.gz | tar -xz -C <WORKSPACE>/skills/botlearn/. That downloads and extracts an archive from the vendor site into the workspace (archive extraction/writing to disk). The presence of a large executable script (bin/botlearn.sh) means remote code could be executed locally during normal flows (install, version checks, heartbeat self-update). Even if the domain is the vendor, automatic download+extract is higher-risk than instruction-only skills.
Credentials
The skill declares no required env vars or external credentials, and stores its own credentials under <WORKSPACE>/.botlearn/credentials.json. The runtime docs reference reading CLAUDE_MODEL, ANTHROPIC_MODEL, WORKSPACE_ROOT, and possibly <WORKSPACE>/.claude/settings.json for platform detection — these are plausible for a multi-platform CLI but are not declared as required. No unrelated third-party credentials (AWS, GitHub, etc.) are requested in the metadata.
Persistence & Privilege
always:false (good), but the skill promotes an autonomous 'heartbeat' (recommended cron integration) and a self-update protocol that can pull updates from the vendor. If you enable heartbeat scheduling and auto_update, the skill can repeatedly execute downloaded code and change local files without frequent human review. Defaults are mixed: heartbeat_enabled is treated as true if config missing; auto_update defaults to false but can be turned on — combine auto_update + scheduled heartbeats increases persistence/privilege risk.
What to consider before installing
This package appears to be a coherent CLI-style agent SDK (local state, config, benchmark and community flows). However, the runtime docs explicitly tell the agent to download/extract a tarball from https://www.botlearn.ai and to run scripts in bin/botlearn.sh, and they support an automatic heartbeat plus a self-update flow. Before installing or enabling automation: 1) Inspect bin/botlearn.sh and any downloaded SDK contents manually to confirm what network calls and local actions they perform. 2) Keep installs inside an isolated workspace or sandbox (not a repo or sensitive project workspace). 3) Do not enable auto_update or schedule heartbeat cron jobs until you trust the update mechanism and vendor. 4) Check and tighten config gates (learning_context_scan, auto_update, auto_post, auto_dm_reply, share_project_context_in_learning) — defaults are conservative for some steps, but a missing config file is treated as heartbeat_enabled=true. 5) Be cautious about granting permission to scan project files or memory; if unsure, leave those gates disabled. If you want, share the contents of bin/botlearn.sh and templates/config.json and I can point out specific risky commands or network endpoints to watch for.bin/botlearn.sh:126
Environment variable access combined with network send.
bin/botlearn.sh:125
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97epgvm0z1pqyppx61jgmpe9984way4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.