Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Gstack Openclaw Skills
v1.0.0gstack 的 WorkBuddy/OpenClaw 适配版本。源自 gstack (Y Combinator Garry Tan),专为 WorkBuddy/OpenClaw 等 AI 助手平台优化。包含 15 个专业工具,涵盖从产品构思到代码发布的完整开发流程。
⭐ 0· 69·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name, description and many SKILL.md files describe developer workflows (code review, QA, ship, office-hours) and the included helper scripts (command_router.py, state_manager.py) are consistent with that purpose. However the package claims 'no special dependencies' and 'instruction-only' in registry metadata, yet contains an install.sh and executable helper scripts — suggesting more than pure prompt-level behavior. That's plausible for a workflow skill but is a modest inconsistency to surface.
Instruction Scope
The runtime docs and conversation examples instruct the agent to perform broad actions: read logs (auth.log), access working directories, run tests, modify files, run install scripts, restart services, push commits and create PRs, and deploy to production. Those operations require filesystem, network and credential access and go well beyond read-only assistance. The SKILL.md does not declare or limit these accesses, which is scope creep and increases potential for unintended access or exfiltration.
Install Mechanism
Registry has no formal install spec, yet the repo includes an install.sh and the FINAL_SUMMARY documents a one-click install that clones https://github.com/AICreator-Wind/gstack-openclaw-skills.git and copies files into ~/.openclaw/skills/. An included install script that clones and writes files is higher-risk than a purely instruction-only skill: it will write to disk and may run arbitrary shell commands. The clone target is a third-party GitHub repo (not obviously the registry owner); without inspecting install.sh contents, this is potentially unsafe.
Credentials
requires.env lists no credentials, yet the documentation shows actions that normally require credentials (git push, PR creation, deploy, restarting services). The skill appears to rely on whatever credentials exist in the user's environment (local git config, SSH keys, cloud CLI creds). Not declaring or limiting this implicit use of existing credentials is a mismatch and raises the risk that the skill will perform privileged actions using the user's credentials without explicit consent.
Persistence & Privilege
always is false and the skill is user-invocable (normal). The package claims a one-click conversational install which implies the agent will write files into the user's skills directory and possibly persist state via the included state_manager — those are expected for an installed skill. This level of persistence is reasonable for a workflow skill, but combined with the concerns above (install script + broad runtime actions) increases the blast radius if the install or scripts are malicious.
What to consider before installing
This skill appears coherent for a developer workflow toolkit, but exercise caution before installing. Specifically:
- Inspect install.sh and the two Python scripts (command_router.py, state_manager.py) yourself before running anything; look for network calls, curl/wget, obfuscated commands, or calls to external endpoints.
- Because the docs describe cloning a GitHub repo and writing into ~/.openclaw/skills/, run the install script in a sandbox or VM first—not on a production workstation.
- Note the skill's examples show reading logs, editing files, running tests, restarting services, and pushing commits: these use your local credentials (git, cloud, system). Only allow the skill to run if you accept that it may use those existing credentials implicitly.
- If you want to proceed, review the remote repository (https://github.com/AICreator-Wind/gstack-openclaw-skills.git) and confirm maintainers/trust, or manually copy vetted files rather than running an automated installer.
- If you lack the ability to audit the scripts, avoid conversational one-click install; prefer manual installation after code review.
If you want, I can summarize the install.sh and the two Python scripts (command_router.py, state_manager.py) for suspicious patterns—provide their contents or allow me to fetch them and I’ll review line-by-line.Like a lobster shell, security has layers — review code before you run it.
latestvk97222ct1w0pgkg4jnj09k723x83zkxr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.