ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mac-app-launcher

v1.0.0

查询和打开 macOS 应用程序。通过关键词搜索已安装的 App,并使用 open 命令启动。 当用户要求查找、搜索、列出、打开某个 Mac 应用程序时使用。

0· 171·0 current·0 all-time
bywei.wu@dlutwuwei
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md behavior (using mdfind, ls, grep, and open to find and launch .app bundles) matches the declared purpose. However the registry metadata did not declare any required binaries or an OS restriction even though this is macOS-specific and depends on mdfind/open. That mismatch is an incoherence that should be corrected.
Instruction Scope
The instructions are narrowly scoped to searching Spotlight indexes and listing /Applications paths, then launching apps with open. They do not instruct reading unrelated files or exfiltrating data; their commands operate only on typical application locations and names.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so nothing will be written to disk by an installer. That is the lowest-risk install mechanism.
Credentials
The skill requires no environment variables or credentials and does not request excessive access. It does read typical system/application directories, which is appropriate for its stated goal.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously by the agent (disable-model-invocation:false), which is expected, but note that autonomous invocation would allow the agent to launch local macOS applications without additional confirmation.
What to consider before installing
This skill appears to do what it claims (search Spotlight and run open to start apps), but take these precautions before installing: 1) Only install if you run macOS — the skill depends on macOS tools (mdfind, open) though it doesn't declare that. 2) Because the skill can launch local apps, consider whether you want an agent able to start software autonomously; disable autonomous invocation if you prefer manual confirmation. 3) The skill has no homepage and an unknown source; prefer skills with verifiable provenance. 4) Ask the author to add explicit metadata: required binaries (mdfind, open, grep/ls) and an OS restriction to macOS. If you accept those caveats, the skill is functionally coherent; if not, avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk9705xb1ctrr0s9q2cqzfjh4a1832twm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments