ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill-cleaner

v1.0.0

扫描工作区所有 Skill,检测授权、配置和环境变量是否齐全, 并可按需禁用或卸载无效 Skill。

1· 39·0 current·0 all-time
by@edde-101

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for edde-101/skill2cleaner.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill-cleaner" (edde-101/skill2cleaner) from ClawHub.
Skill page: https://clawhub.ai/edde-101/skill2cleaner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill2cleaner

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill2cleaner
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The code implements scanning, checking manifests, inspecting env vars, and invoking 'openclaw skills disable/uninstall', which matches the described purpose. However the skill metadata declares no required binaries while the implementation calls the 'openclaw' CLI via subprocess; this undeclared dependency is an inconsistency that will make the skill non-functional or behave unexpectedly when 'openclaw' is missing.
Instruction Scope
SKILL.md instructs running the included script to report/clean skills. The script reads the workspace skills directory and ~/.openclaw/openclaw.json and inspects other skills' SKILL.md/skill.yaml files to determine required env vars. It only checks for presence of env vars (does not print or transmit their values) and uses the 'openclaw' CLI to perform disable/uninstall. SKILL.md does not mention these filesystem/config dependencies or the need for the 'openclaw' binary, which is a documentation gap.
Install Mechanism
There is no external install step or network download; the repository includes the Python script and a small requirements.txt (pyyaml). No remote code fetch is performed during runtime.
Credentials
The skill declares no required environment variables. At runtime it reads whatever env var names it discovers in other skills' manifests to check whether they are set — this is proportionate to diagnosing missing API keys, but it means the script enumerates names of env vars present in the system's environment and will report which are missing. It does not itself request, store, or transmit secret values, but the ability to scan many env var names could reveal which vars are in use.
Persistence & Privilege
The skill does not request permanent 'always' inclusion and does not modify other skills' configurations directly; it invokes the 'openclaw' CLI to disable or uninstall skills (including '--force' for uninstall) which is appropriate for its purpose but is a privileged action — ensure the user running the agent consents before executing cleanup.
What to consider before installing
This skill appears to implement the advertised feature set, but review before use: - It calls the 'openclaw' command-line tool, yet the skill declares no required binaries; ensure the 'openclaw' CLI is installed and works on the agent host or the script will fail or report nothing. - The script reads ~/.openclaw/openclaw.json and the workspace skills directory to determine disabled/installed skills; make sure you trust the environment and that these paths are correct for your setup. - The code checks for environment variable names found in other skills' manifests (to detect missing API keys) — it only checks presence and does not exfiltrate values, but it will report which keys are missing. If you have sensitive naming conventions you do not want enumerated, be aware of this behavior. - The 'clean' action runs 'openclaw skills disable' or 'openclaw skills uninstall --force' — these are destructive operations. Always run 'report' first, inspect the list, and preferably run the cleanup in a controlled environment or with a backup. - The implementation contains a bug: diagnose_skill references SkillStatus.CONFIG_INVALID which is not defined in SkillStatus; this can cause runtime exceptions when a manifest is missing or invalid. Consider fixing or testing the script yourself before relying on automated cleanup. If you decide to install: run the script manually first (python3 skill_cleaner.py) to verify output, inspect the code locally, and avoid running the 'clean' action until you confirm the report is accurate.

Like a lobster shell, security has layers — review code before you run it.

latestvk9792gdxjtc321k4h36r349kz985mzht
39downloads
1stars
1versions
Updated 1d ago
v1.0.0
MIT-0
@edde-101
latest
Download

Skill Cleaner

作用

自动找出已安装但无法使用的 Skill(缺少 API Key、被禁用、文件损坏),并帮你清理它们。

触发场景

  • 用户说:“检查我的技能状态”
  • 用户说:“为什么我的 XXX 技能用不了?”
  • 用户说:“清理那些不能用的技能”

工作流程

  1. 调用 report 动作获取诊断报告。
  2. 向用户展示无效 Skill 列表,并询问是否清理。
  3. 用户确认后,调用 clean 动作执行 disable/uninstall。

Comments

Loading comments...