Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bc Calc

v1.0.0

This skill evaluates arithmetic expressions using the Unix `bc` calculator. It accepts full `bc` syntax (addition, subtraction, multiplication, division, mod...

⭐ 0· 57·0 current·0 all-time

byDaniel Staal@danstaal

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (evaluate bc expressions) matches the code and SKILL.md. The code launches the local 'bc' with -l and -q and returns output. Minor documentation mismatch: SKILL.md mentions a built-in 'pi' constant whereas standard bc does not define 'pi' automatically (users normally define it); this is a documentation inaccuracy rather than a security problem.

✓

Instruction Scope

Runtime instructions and the implementation stay within scope: parse an expression from argv or stdin and feed it to bc. The skill does not read unrelated files, call external services, or exfiltrate data. Errors from bc are returned to the user. There is no vague instruction granting the agent broad discretionary access.

✓

Install Mechanism

No install spec or remote downloads are present; the package contains only a small Node wrapper. It requires node and the system 'bc' binary — reasonable and proportional for the stated purpose.

ℹ

Credentials

The skill requests no credentials or environment variables. One operational note: the wrapper invokes 'bc' via PATH (spawn('bc')), so if PATH is manipulated in the runtime environment a malicious binary named 'bc' could be executed. This is an operational risk of launching system binaries and not a problem unique to this skill.

✓

Persistence & Privilege

The skill does not request persistent or elevated privileges, is not always-enabled, and does not modify other skills or global agent configuration.

Assessment

This skill is a thin wrapper that runs your local 'bc' process. Before installing: (1) ensure you trust the runtime environment and that the 'bc' binary on PATH is the legitimate system bc, (2) be aware the SKILL.md slightly overstates available constants (e.g., 'pi' may not be predefined in all bc implementations), and (3) if you run untrusted input in an environment where PATH might be controlled by others, consider hardcoding an absolute path to the bc binary or running it in a restricted environment. Otherwise the skill's behavior is proportional to its description.

✗

index.js:8

Shell command execution detected (child_process).

Patterns worth reviewing

These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972wvvvjk4n3cvr48tk6zmkfd84d1cc

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

Bc Calc

License

Comments