ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CLI-Anything for OpenClaw

v1.0.0

Use when the user wants OpenClaw to build, refine, test, or validate a CLI-Anything harness for a GUI application or source repository. Adapts the CLI-Anythi...

0· 47·0 current·0 all-time
by@chensu1234
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the SKILL.md. The skill expects a local source path or GitHub URL and describes producing a Python Click-based harness, testing, and packaging — all coherent with its declared purpose. It does not request unrelated credentials, binaries, or config paths.
Instruction Scope
Instructions are focused on analyzing source trees, generating harness files, running tests, and validating installation. They explicitly recommend running 'pip install -e .' and executing the built CLI (e.g., via subprocess). This is expected for a harness builder but means the agent will execute code from the target repository at runtime — review or sandbox untrusted repos before running.
Install Mechanism
No install spec or code files are included (instruction-only), so nothing will be written or installed by the skill itself. Lowest-risk install surface from the skill bundle.
Credentials
The skill declares no required environment variables, credentials, or config paths. The SKILL.md does not reference hidden env vars. Requested permissions are proportional to the stated task.
Persistence & Privilege
always: false and no special persistence or privileges requested. The skill does not modify other skills or agent-wide settings.
Assessment
This skill appears coherent for generating and testing Python CLI harnesses. Practical cautions: the runtime workflow expects the agent to acquire source code, run tests, and perform 'pip install -e .' and subprocess calls against the target project's CLI — actions that execute code from the target repository. If the repository is untrusted, run these steps in an isolated environment (container, VM, sandbox), or manually review the code before allowing execution. Because the skill is instruction-only, there is no bundled install to inspect further; if you want higher assurance, provide a sample repository or request a dry-run that only outputs planned file changes rather than running installs/tests.

Like a lobster shell, security has layers — review code before you run it.

automationvk976happp49by7fsshaatfhwq984j0ggbuildervk976happp49by7fsshaatfhwq984j0ggclivk976happp49by7fsshaatfhwq984j0gglatestvk976happp49by7fsshaatfhwq984j0gg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments