ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

技能更新管理器

v1.0.1

管理已安装技能的注册、版本跟踪与自动更新检查;当用户安装新技能、检查技能更新或配置更新策略时使用。

0· 93·0 current·0 all-time
by@chsengni
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the code: the script extracts SKILL.md metadata, registers skills, and checks GitHub/ClawHub for releases. Network access to GitHub/ClawHub and parsing HTML/JSON is expected for this purpose. Minor mismatch: SKILL.md instructs a 'working directory MEMORY.md', but the script targets a specific MEMORY.md path computed relative to the script (SCRIPT_DIR.parent.parent.parent / 'workspace' / 'MEMORY.md'), which may not be the same file the user expects.
!
Instruction Scope
The SKILL.md tells the agent to read/write a MEMORY.md in the current working directory and to auto-extract metadata and run git clone / downloads. The actual script will read and may overwrite a MEMORY.md at a path relative to the installed script (not necessarily the agent's current working directory). The script's _init_memory_config claims to 'only append, not create' but opens the file with 'w' and writes existing_content + config_content (overwriting), so it can modify/replace a user's MEMORY.md unexpectedly. Automatic cloning/downloading of repos (as part of update/installation flows) is also part of the expected behavior but increases risk because it fetches and places remote code on disk.
Install Mechanism
There is no installer (instruction-only skill) which is lower risk; however, the bundle includes an executable Python script that will be run by the agent. No external package download or installer URL is specified. The presence of runnable code in the skill bundle means you should review the script before allowing execution.
Credentials
The skill requests no environment variables or credentials. It uses unauthenticated GitHub API endpoints and HTML scraping for ClawHub — appropriate for checking public releases. There are no unexpected credential requests. One behavior to note: when no update_url is provided the script auto-generates a GitHub URL (https://github.com/user/{name}), which could lead the agent to access arbitrary GitHub paths based on skill names.
!
Persistence & Privilege
always:false (good). But the script writes a skills_registry.json into the skill package area and will write to a MEMORY.md at a computed path. The script's documented behavior ('append only') contradicts its implementation (it may overwrite MEMORY.md). Writing/modifying a top-level agent MEMORY.md or workspace file is a persistent and potentially disruptive side-effect — this deserves caution and validation of the exact paths used in your environment.
What to consider before installing
What to consider before installing: - Review the included script (scripts/skill_registry.py) yourself before allowing the agent to run it. It performs file writes (skills_registry.json and a MEMORY.md at a path relative to the skill), network requests to GitHub/ClawHub, and may trigger git clone/downloads. - BACKUP your workspace/MEMORY.md before first use. The script claims to 'append' but uses 'w' and may overwrite that file; confirm the MEMORY_FILE path matches where you want configuration written. - Confirm where skills_registry.json will be stored (it's under the skill package parent directory) and whether that location is acceptable. - If you allow automatic update checks, be aware the agent will contact GitHub and fetch repositories (possible supply of arbitrary code). Only enable this for trusted skills and consider running updates in a sandboxed environment. - If you want safer behavior, modify the script to: (1) use a configurable MEMORY path (avoid hard-coded multi-parent traversal), (2) open MEMORY.md with append mode or perform a careful merge instead of blind 'w', and (3) avoid auto-generating GitHub URLs without user confirmation. Overall: functionally coherent for an update manager, but implementation bugs and file-write behavior make it suspicious until reviewed and adjusted to match the environment and your safety expectations.

Like a lobster shell, security has layers — review code before you run it.

latestvk976qqefm6czhsk7h99h4pa739841dwv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments