ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Python Venv

v1.2.0

Python environment management skill. Automatically detect project type and existing environments, recommend based on popularity. Minimize interruptions, only...

0· 217·0 current·0 all-time
bySimon@cikichen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description align with the instructions: detecting project files, reusing/creating virtual environments, and choosing between uv/pip/conda/venv is coherent. The commands and file checks are directly relevant to environment management.
!
Instruction Scope
Runtime instructions reference system files and environment variables (e.g., .venv/, requirements.txt, $VIRTUAL_ENV, $CONDA_PREFIX) which is appropriate for detecting environments, but the skill also recommends destructive actions (rm -rf .venv) and automating remote installs and activations. It does not limit or require explicit user confirmation for those destructive or network-install actions.
!
Install Mechanism
Although the skill is instruction-only (no install spec), the troubleshooting doc instructs installing 'uv' by piping a remote script (curl ... | sh or irm ... | iex from https://astral.sh). Running a remote install script without verification is a high-risk pattern and should be treated cautiously.
Credentials
The skill declares no required environment variables, but its instructions read $VIRTUAL_ENV and $CONDA_PREFIX to detect active environments — this is normal and reasonable for the purpose. There are no unrelated credentials requested. Still, the skill will inspect filesystem and environment state, so consider that it can read project files and typical venv-related env vars.
Persistence & Privilege
Instruction-only skill, no install spec, always:false and no claimed persistence. It does not request system-wide config changes in the provided docs. Autonomous invocation is allowed by default (platform behavior) but not combined here with broad credential access.
What to consider before installing
This skill is generally coherent for managing Python virtual environments, but be cautious before letting it run commands automatically. Two specific risks to consider: (1) The docs recommend installing 'uv' by piping a remote script from https://astral.sh (curl | sh / irm | iex). Avoid blind piping remote scripts — verify the source or install via your OS/package manager instead. (2) Troubleshooting recommends 'rm -rf .venv' to recover a broken venv, which will irreversibly delete the environment; require user confirmation before destructive actions. Also note the skill reads environment variables like VIRTUAL_ENV and CONDA_PREFIX and inspects project files (expected behavior) — ensure you trust the agent to run filesystem commands. If you want to reduce risk, require explicit user consent for installs and deletions, or run the recommended commands manually after reviewing them.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffh9j5hxtkkgyr4bc8gw60x82vyms

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments