Skill Safe Install
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a coherent security-install tool, but it runs shell commands with an unvalidated skill name and appears to use an install command before finishing its safety checks.
Review this skill before installing. If you use it, pass only normal trusted skill slugs, avoid `--force`, `--no-vetter`, and `--no-scan` unless you understand the risk, use a dedicated ThreatBook API key, and do not add the shell override unless you want it to affect future `clawhub install` commands.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted skill name could cause local shell commands to run under the user's account when the installer checks or installs a skill.
The user-provided skill name is inserted into a shell command string that is executed with `execSync`; double-quoting does not prevent shell command substitution or all shell metacharacter risks.
const skillName = args.find(a => !a.startsWith('--')); ... execCommand(`clawhub inspect "${skillName}"`, { silent: true }); ... const result = execSync(cmd, {Validate skill names against a strict slug pattern and replace `execSync(commandString)` with `execFileSync` or `spawnSync` using an argument array and no shell.
If `clawhub install --dir` performs install-time actions, an unsafe skill could run code or cause side effects before this tool finishes its checks.
The pre-vetting step obtains the target by invoking an `install` command before the safety decision; the artifacts do not show a download-only or no-scripts mode.
const downloadResult = execCommand(`clawhub install "${skillName}" --dir "${tempDir}"`, { silent: true });Fetch packages through a download-only registry API or a verified archive extraction path, and explicitly disable install hooks or execution until after checks pass.
The tool will use the configured ThreatBook account/API quota when scanning skills.
The skill requires a ThreatBook API key, which is expected for sandbox scanning and is disclosed in the documentation.
`THREATBOOK_API_KEY` | ✅ | 微步在线沙箱 API Key
Use a dedicated API key with the minimum needed privileges or quota, and do not share it in prompts, logs, or public files.
Skill archives selected for scanning are sent to an external sandbox provider.
The skill discloses that files are uploaded to ThreatBook for analysis and warns users not to upload sensitive or confidential files.
隐私: 上传的文件会被微步在线分析,不要上传敏感/机密文件
Avoid scanning private or confidential code unless you are comfortable sending it to ThreatBook, and review the provider's data-retention terms.
If the user adds this function to their shell profile, future installs will be intercepted by this wrapper until the shell configuration is changed.
The README suggests an optional shell function that persistently routes future `clawhub install` commands through this skill.
clawhub() { if [ "$1" = "install" ] && [ -n "$2" ]; then node ~/.openclaw/workspace/skills/skill-safe-install/scripts/safe-install.mjs "$2" "${@:3}"Only add the alias/function if you want this persistent behavior, and keep a clear way to bypass or remove it.