ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Port Manager

v1.0.0

Port Manager - Track and manage system port usage. Use when: (1) Port conflict when installing software, (2) Check port usage, (3) Release occupied ports, (4...

0· 203·0 current·0 all-time
by@damiencronw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's functionality (checking/listing/freeing ports) matches the script implementation, but the package metadata declares no required binaries while the script depends on system tools (lsof, jq, ps, kill). The SKILL.md and the script disagree about the ports.json location (SKILL.md: ~/.openclaw/workspace/.port-manager/ports.json vs script: ~/.openclaw/workspace/skills/port-manager/.data/ports.json). These mismatches are unexpected and should be corrected.
!
Instruction Scope
Instructions and script operate on system state: they run lsof/ps to enumerate processes, read/write a JSON file under your home workspace, and can terminate processes with kill. Terminating arbitrary processes is a high-impact action; although the script prompts for confirmation, an automated agent or a misused invocation could still terminate services. The SKILL.md also mentions netstat but the script uses lsof; minor mismatch but worth noting.
Install Mechanism
There is no external install/download step or remote code retrieval — the package is instruction+script only and writes files locally. No network fetches or archive extraction were found in the manifest.
!
Credentials
The skill requests no credentials, but it accesses the user's HOME to read/write ~/.openclaw workspace and queries system process/state (lsof/ps). It also requires jq and lsof which are not listed in metadata. The ability to inspect and terminate local processes is powerful and not represented in any declared permissions.
Persistence & Privilege
The skill persists its own data under ~/.openclaw/workspace/skills/port-manager/.data/ports.json (and includes sample .data files). It does not request always:true and does not modify other skills. However, because it can kill processes, consider the risk if the agent invokes this autonomously.
What to consider before installing
What to check before installing: (1) Review the script contents yourself — it runs lsof/ps/jq and can call kill to terminate processes. (2) Ensure lsof and jq are present and trusted; the metadata should declare those dependencies but does not. (3) Note the inconsistent documented file location vs the script's actual path — verify where ports.json will be written and back it up if needed. (4) Prefer running the script manually first to confirm behavior and prompts; do not allow unattended/autonomous execution until you're comfortable it won't kill important services. (5) If you need stronger guarantees, request the package author to fix the metadata (declare binaries, correct file paths) and to add safer checks (e.g., extra confirmation, limited PID filtering) before trusting autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

latestvk9796vxxnf93kbb741c2533a7h82ndvt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔌 Clawdis

Comments