ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Windows packag manager installer

v1.0.0

install windows software and windows package manager environments. use when the user wants to install a windows application, explicitly wants to install or c...

0· 113·0 current·0 all-time
by@darkqiank
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description align with the instructions: the SKILL.md describes checking for winget/choco, preferring package-manager installs, and installing/configuring Chocolatey or repairing winget. There are no unrelated environment variables, binaries, or config paths requested.
Instruction Scope
Instructions stay on-task (detect environment, choose winget vs choco, provide commands, verify install). Two items to note: (1) the skill encourages a 'best-effort search-and-install' approach that could lead to installing a package without extra user confirmation, and (2) it explicitly recommends executing a remote-install PowerShell command for Chocolatey (iex (New-Object System.Net.WebClient).DownloadString(...)), which is typical for choco but is an action that downloads and executes remote code.
Install Mechanism
This is instruction-only (no install spec). The SKILL.md directs the user/agent to run the official Chocolatey install script from community.chocolatey.org and to configure a Tsinghua mirror for Chocolatey. Those are coherent with the purpose but represent higher-risk operations (remote script download+execute, and switching package sources).
Credentials
The skill requests no environment variables or credentials. It sensibly instructs checks for Windows, PowerShell availability, and administrative/elevation context before performing privileged installs.
Persistence & Privilege
Skill is not always:true and does not request persistent or cross-skill configuration. Autonomous invocation is allowed (platform default) but the skill does not itself demand elevated privileges or permanent presence.
Assessment
This skill appears coherent for its goal, but be careful before running the commands it recommends: - Installing Chocolatey via the provided iex (DownloadString) pattern downloads and executes a remote script — verify the URL and trust the source before running it. This is the standard choco install flow, but it's inherently higher risk than purely local steps. - The skill suggests switching Chocolatey to a Tsinghua mirror; mirrors can be useful but you should confirm you trust that mirror and understand you are changing the package source for future installs/updates. - The skill favors a 'best-effort' install approach; ensure the agent asks you (or you ask) for explicit confirmation before performing privileged installs or running commands that require administrator access. Also verify package IDs returned by searches before executing install commands. If you want tighter control, ask the agent to only provide the commands and not execute them, or to always request your explicit confirmation before any privileged operation.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d7dqtvm0kygvs6vepgscqzh834ed7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments