Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
PansClaw Code
v0.1.0Use the PansClaw Code CLI (Rust reimplementation of Claude Code) for AI-assisted coding. Triggers when: user wants to run coding tasks via pansclaw code, del...
⭐ 1· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to run a local 'PansClaw/Claw' CLI for coding (reasonable), and cloud fallbacks that legitimately need API keys. However the registry metadata declares no required env vars while the SKILL.md and references explicitly ask for MINIMAX_API_KEY, ANTHROPIC_API_KEY and OPENAI_API_KEY. That metadata mismatch (plus no homepage/origin) is incoherent and increases risk because the agent won't surface required credentials up-front.
Instruction Scope
Runtime instructions tell the agent to build local source (cargo build) from absolute user-specific paths (/Users/dashi/... and /Users/dashi/.openclaw-pansclaw/...), create symlinks into ~/.local/bin, and run the CLI with --dangerously-skip-permissions and a permission mode 'danger-full-access'. Those steps can give the CLI broad write/exec access to the workspace and bypass interactive permission checks; the skill also references many management commands (agents, skills, hooks, mcp) suggesting the CLI can modify/execute other components. The instructions do not limit what the CLI may do after being run.
Install Mechanism
There is no install spec (instruction-only), which minimizes remote code fetch risk. Included helper scripts perform local cargo builds and symlinks (no network downloads other than suggesting rustup). However there are inconsistencies in package names used across files (SKILL.md shows cargo -p claw-cli, scripts/quickstart/build use rusty-claude-cli, scripts use rusty-claude-cli), suggesting sloppy copy-paste or mismatched build targets that could cause unexpected behavior during build/install.
Credentials
The skill asks for multiple API keys (MINIMAX_API_KEY, ANTHROPIC_API_KEY, OPENAI_API_KEY) in the docs but the registry lists none — requiring multiple cloud credentials is not unreasonable for multi-provider support, but it should be declared. More importantly, the assets and examples enable 'danger-full-access' and --dangerously-skip-permissions which grant broad workspace access; that privilege is disproportionate unless the user explicitly consents and understands the risk.
Persistence & Privilege
The skill is not marked always:true and does not request system-level persistent privileges in the registry. It does, however, instruct creating a symlink into ~/.local/bin and running a CLI that can manage agents/skills; this grants persistent local tooling presence. That behavior can be normal for a CLI but combined with skip-permissions and missing provenance increases risk.
What to consider before installing
This skill appears to be a local CLI wrapper for an AI coding assistant, but there are several red flags you should verify before installing or running it:
- Provenance: The skill has no homepage or clear source. Prefer only installing tools from known repositories or vendor sites. Ask the publisher for the upstream repo or release URL.
- Metadata mismatch: The registry lists no required env vars but the SKILL.md and references require MINIMAX_API_KEY, ANTHROPIC_API_KEY and (in places) OPENAI_API_KEY. Confirm which credentials are actually needed and why.
- Absolute paths & user-specific files: The instructions and scripts reference /Users/dashi/... and ~/.openclaw-pansclaw/... which suggests the package was built for a specific machine. Inspect and adjust paths before running to avoid surprising file operations.
- Dangerous permission flags: The skill and asset files enable 'danger-full-access' and encourage --dangerously-skip-permissions. Do not run with those flags unless you fully trust the binary and understand it can read/modify your workspace and manage agents. Prefer read-only or workspace-write permission modes and keep interactive permission prompts.
- Inconsistent package names: The build targets differ across files (claw-cli vs rusty-claude-cli). Before building, open the Rust project to confirm the correct crate/package and review source code for unexpected network endpoints or commands.
- Recommended steps if you want to try it safely:
1) Request the upstream repository or a signed release. Verify code before building.
2) Build in an isolated environment (container or disposable VM), do not run with --dangerously-skip-permissions there.
3) Inspect the built binary (strings, ldd, network activity) and run health checks (/doctor) in a sandbox.
4) Only provide cloud API keys that are scoped/minimized and revoke them if suspicious activity is observed.
If you cannot obtain the upstream source or a trustworthy release, treat this skill as untrusted and avoid installing it on your primary machine.Like a lobster shell, security has layers — review code before you run it.
latestvk972tkk8mj6ndwbq2tsfs5ajm184d6xw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.