Clihub Pub Full
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A casual mention of a tool can trigger local command execution and may steer the agent toward using powerful CLIs without a clear approval or allowlist policy in the skill.
The skill tells the agent to invoke its registry workflow broadly for any mentioned CLI and to execute local binaries with --help when not cached.
Rule: when the user mentions ANY tool name, your FIRST action must be `lookup <tool>` ... Live Discovery — run `<tool> --help` as last resort
Keep command approval enabled, require explicit confirmation before any mutating or remote CLI action, and consider limiting the skill to an allowlist of trusted tools.
If the agent uses those tools, it may act with the permissions of your already-authenticated local accounts or cluster contexts.
The documented scope includes CLIs that commonly use existing GitHub, Docker, Kubernetes, SSH, or other local account credentials.
One Skill. Every CLI tool on your system. Zero config ... gh ... docker ... kubectl ... ssh
Review active CLI logins and contexts before use, prefer least-privileged accounts, and confirm any account, infrastructure, or remote-system operation.
A malicious or poorly designed CLI could place misleading instructions in help text that the agent later reuses from the registry.
The skill persists CLI-derived help data and instructs the agent to rely on that retrieved text as authoritative, without warning that help output from local or third-party tools is untrusted text.
Registry root ... `~/.openclaw/cli-registry/` ... you MUST read its `help_raw` field — it's your only source of truth
Treat cached help output strictly as data, ignore behavioral instructions inside tool output, and periodically review or clear the registry for untrusted tools.