Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

clawsec-suite

v0.1.5

ClawSec suite manager with embedded advisory-feed monitoring, cryptographic signature verification, approval-gated malicious-skill response, and guided setup...

⭐ 7· 7.4k·54 current·58 all-time

by@davida-ps

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

Capability signals

CryptoRequires wallet

These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

Name, description, SKILL.md, and the included code are coherent: the package implements advisory feed polling, signature/checksum verification, local state, and an advisory hook that inspects installed skills. However the declared required binaries omit tools that the runtime instructions and scripts clearly need (notably node and unzip and shell utilities used in examples), which is an inconsistency a user should understand before installing.

ℹ

Instruction Scope

Runtime instructions and hook code stay within the stated purpose: they fetch a signed advisories feed, compare against installed skills (reading skill.json files under the install root), track state, and push alert messages. The docs ask the operator to set up a hook/cron; the hook does not delete or modify skills by itself. Note: the SKILL.md suggests using 'npx clawhub@latest' to install (executes remote code transiently) and instructs running node scripts that will fetch remote indexes (https://clawsec.prompt.security/skills/index.json). Both behaviors are expected for a suite manager but widen the trust surface and should be reviewed.

Install Mechanism

There is no formal install spec even though many code files are included. SKILL.md documents two installation options: (A) npx clawhub@latest (pulls and runs remote npm code), and (B) manual download from GitHub releases with signature + checksum verification. The GitHub-hosted release approach is reasonable (well-known host) and the example verifies signatures and checksums, but the instruction examples rely on unzip, node, mktemp, and other commands not listed in the required binaries. The presence of both npx and archive extraction means the user will run remotely fetched code (npx) or extracted release code — moderate-risk install paths that require careful verification.

✓

Credentials

The skill does not declare or require any secret environment variables or credentials. It exposes many optional environment overrides (feed URL, public key path, allow-unsigned toggle, state file path) that are relevant to its operation. All environment and filesystem access in code (reading the feed signing key, state file, installed skills' skill.json) aligns with the stated purpose.

✓

Persistence & Privilege

The skill is not always-enabled (always: false) and model invocation is allowed (platform default). The hook is registered for agent events (bootstrap, command:new) but SKILL.md instructs the user to run setup scripts to enable the hook/cron; it does not appear to auto-enable or modify other skills. No excessive persistent privileges are requested by the code itself.

What to consider before installing

What to check before installing: - Missing runtime deps: SKILL.md and included scripts expect node and unzip (and other shell tools), but the skill's declared required binaries omit node/unzip—ensure you have the right runtime and understand where scripts will run. - Install choices: 'npx clawhub@latest' will fetch and execute remote npm code (transiently running code you must trust). The manual GitHub archive path is from a well-known host and the script demonstrates signature + checksum verification — verify the public key fingerprint out-of-band before trusting it. - Review the included code: the bundle contains hook and verification code; read the feed URL, the allowlist of domains, and the signature verification logic to confirm it matches your threat model (the domain allowlist includes clawsec.prompt.security, prompt.security, raw.githubusercontent.com, github.com). - Feed index and dynamic catalog: the suite fetches a remote catalog and advisories; that remote index can control which additional installers you run. Treat the remote index as a trusted source and inspect it. - Least privilege: run setup/install under a non-privileged user account and examine any cron entries or agent hook registrations the setup scripts create. - Verify fingerprints and signatures: the manual install embeds a public key fingerprint; verify it out-of-band (e.g., project website or repo). If you cannot verify, avoid enabling automatic installation/removal flows. Given the inconsistencies (required binaries omitted, mixed install paths), proceed with caution: the functionality is coherent with the description, but the packaging/installation details need clarification or manual verification before trusting and enabling automated hooks.

✗

scripts/guarded_skill_install.mjs:220