ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Smart Skill Finder

v1.0.0

Finds and recommends relevant AI agent skills across multiple ecosystems (Skills CLI, Clawhub, GitHub) using intelligent semantic understanding to match user...

0· 80·0 current·0 all-time
byEron@edkuo7
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code implements multi-ecosystem search (Clawhub, Skills CLI, GitHub) and returns install commands — this aligns with the stated purpose. However the README/SKILL.md claim higher-level features ("OpenClaw's semantic understanding", VirusTotal security checks, workspace/memory integration, learning over time) that are not actually implemented in the provided code (the query understanding is simple keyword matching). The mismatch between claimed semantic capabilities and the simple keyword logic is an over‑claim, not outright malicious, but it's misleading.
!
Instruction Scope
SKILL.md promises read-only, safe behavior and says it never executes installs automatically — the implementation appears to respect that (it formats install commands rather than running them). However the ecosystems module executes external commands to search the Skills CLI using subprocess.run with shell=True and a command string constructed from user queries (e.g., `npx skills find "{search_terms}" --json`). Because search_terms are derived from the user query with minimal escaping, this creates a command‑injection risk if that code is invoked with untrusted input. The code also includes browser automation logic that assumes a browser_controller interface and will drive a browser snapshot/type/press_key flow; that can interact with remote sites and scrape content. Additionally, the skill claims workspace awareness and memory integration but I see no file-reading or memory calls in the code — this is a scope mismatch.
Install Mechanism
There is no install spec and no packaged native installer — the skill is included as code files (no external downloads during install). That lowers install-time risk. The code does build install commands (git clone, npx add, clawhub install) but those are only returned to the user, not executed by the skill itself.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However documentation references (VirusTotal/OpenClaw security scanning) are present even though I found no code calling VirusTotal or other security services. Also GitHub API calls are made unauthenticated (no token requested), which is reasonable but may be rate-limited; nothing in the repo requests unrelated credentials.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and doesn't write persistent configuration as part of an install spec. It returns install commands but does not, in the provided code, automatically run them or persist credentials.
What to consider before installing
What to check before installing/using this skill: 1) Review and sanitize inputs: the Skills-CLI search runs via subprocess.run with shell=True using user-derived text. If you or the agent runs this code on arbitrary user input, command-injection is possible. Prefer escaping or using a list form for subprocess or otherwise sanitizing the query string. 2) Verify claimed features: the README/SKILL.md advertise semantic-model based understanding, VirusTotal checks, and workspace/memory integration, but the code uses simple keyword matching and I found no VirusTotal or local workspace reads. Treat those claims as marketing until the author provides evidence or code updates. 3) Be cautious with browser automation: the browser discovery code assumes a browser_controller and will drive a browser (open pages, type, press keys). Only run this in a controlled environment and avoid passing credentials or sensitive context to it. 4) Installation commands are returned (git clone, npx, clawhub). Do not execute them automatically — inspect sources (GitHub repo, author) before cloning/running third-party skills. Consider cloning into a sandboxed VM/container and scanning the repo before use. 5) If you plan to run this skill in production or allow it to be invoked autonomously, request the author to: - Remove shell=True usage or properly escape/validate user inputs; use subprocess.run([...]) list form. - Make security-scanning calls explicit (show how VirusTotal/OpenClaw are queried and where API keys would be stored if needed). - Document the browser_controller contract and provide safe default behavior. Given these issues (misleading claims + a real shell-injection pattern), review and remediation are recommended before trusting the skill in an environment with sensitive data or in which the agent can run code autonomously.

Like a lobster shell, security has layers — review code before you run it.

latestvk970pfsqaq2rvja7vxpjx45bhn839sjr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments