ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

E.x.O. Installer

v0.4.1

Install, update, and monitor E.x.O. tools like jasper-recall and hopeIDS, manage OpenClaw plugins, and perform health checks with a single command.

0· 983·0 current·0 all-time
by@emberdesire

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for emberdesire/exo-installer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "E.x.O. Installer" (emberdesire/exo-installer) from ClawHub.
Skill page: https://clawhub.ai/emberdesire/exo-installer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install emberdesire/exo-installer

ClawHub CLI

Package manager switcher

npx clawhub@latest install exo-installer
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and cli.js broadly match the stated purpose (install/update/health-check of E.x.O. packages). However the skill executes global npm installs, npx commands, and may clone private GitHub repos — yet the metadata declares no required binaries or environment variables (e.g., git, npm, or a GitHub token). That mismatch (declaring nothing required while the code needs npm/git and potentially credentials) is disproportionate and inconsistent.
!
Instruction Scope
Runtime instructions and the shipped cli.js instruct the agent to run arbitrary shell commands (npm install -g, npx <tool> setup, doctor commands), check/modify files under ~/.openclaw, and suggest cloning internal repos requiring GitHub access. Those actions can execute arbitrary third-party code (via npm/npx) and touch user files; the SKILL.md does not document authentication or safety boundaries (how internal repo access is obtained, or what auto-registration modifies). This expands scope beyond a simple 'installer' without clear safeguards.
Install Mechanism
There is no external install spec (skill is instruction-only) and the included code uses standard sources: npm registry and GitHub. No unusual remote download URLs or archive extraction were observed. Installing or running this CLI will invoke npm and npx which pull and execute code from package registries — normal for an installer but a real risk if you don't trust the packages being installed.
!
Credentials
The package expects access to private/internal GitHub repos and can send alerts (README mentions Telegram), but requires.env is empty and no primary credential is declared. The packages.json includes internal packages with localPath entries under ~/projects, which implicitly accesses user files. Requiring GitHub access and potential notification tokens without declaring them is an inconsistency and increases risk.
Persistence & Privilege
The CLI writes state to ~/.openclaw/exo-state.json and references the OpenClaw config path (~/.openclaw/openclaw.json); README and SKILL.md mention cron setup and auto-registration. The skill is not 'always:true' and does not appear to escalate privileges beyond user-level file writes, but it will persist state and may create cron jobs or modify OpenClaw config if run — consider this persistent footprint when evaluating trust.
What to consider before installing
What to consider before installing/running this skill: - Trust the source: the CLI will run global npm installs and npx commands (these pull and execute third-party code). Only proceed if you trust the E.x.O. packages and the GitHub org listed. - Missing declared requirements: the skill requires npm, npx, git and may need GitHub credentials and Telegram tokens for alerts, but these are not declared — expect to provide or have these configured in your environment. - Local file access & persistence: it reads/writes ~/.openclaw/* and checks ~/projects paths; it can create state files and may modify OpenClaw config or set cron jobs. If you want to limit impact, run it in an isolated environment or container first. - Private repo cloning: internal packages reference private repos/local paths. If you run the 'internal clone' command the skill will attempt to access your GitHub account or local project directories — verify what it will clone and where. - Inspect the code: the shipped cli.js is readable; review the remainder of the truncated code paths (cron, telegram integration, internal clone) before use. Confirm how 'auto-register with OpenClaw' is implemented and whether it modifies other skills' configs. If unsure: run the tool in a disposable VM/container, or request the maintainer to clarify required credentials (GitHub token, Telegram token), the exact changes performed on ~/.openclaw, and supply signed provenance (official GitHub repo) before granting it access to your primary environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ggmzv2t2xps4vv7jttkcrh80zqda
983downloads
0stars
1versions
Updated 10h ago
v0.4.1
MIT-0
@emberdesire
latest
Download

exo-installer Skill

E.x.O. Ecosystem Manager

Install, update, and monitor all E.x.O. tools with a single command.

When to Use

  • User wants to install E.x.O. tools (jasper-recall, hopeIDS, context-compactor)
  • User asks about the E.x.O. ecosystem
  • User needs to set up OpenClaw plugins
  • User wants to check health of installed tools

Quick Start

# Install all public E.x.O. packages
npx exo-installer install --all

# Or install specific tools
exo install jasper-recall
exo install hopeIDS
exo install jasper-context-compactor

# Health check
exo doctor
exo doctor --json  # For automation

Commands

CommandDescription
exo install --allInstall all public packages
exo install <pkg>Install specific package
exo updateUpdate all installed packages
exo doctorHealth check all components
exo doctor --jsonHealth check with JSON output
exo listList available packages
exo internal cloneClone private repos (needs GitHub access)

Available Packages

Public (npm)

PackageDescription
jasper-recallLocal RAG system for agent memory
hopeIDSBehavioral anomaly detection
jasper-context-compactorToken management for local models
jasper-configguardSafe config changes with rollback

Internal (GitHub)

RepoDescription
hopeClawMeta-cognitive inference engine
moraClawTemporal orchestration agent
task-dashboardProject management system
exo-distillerAgent distillation pipeline

Internal packages require GitHub org access:

exo internal clone

Health Check

$ exo doctor
🔍 E.x.O. Health Check

jasper-recall ................. ✅ v0.4.2
  ChromaDB: ✅ connected
  Embeddings: ✅ loaded
  Documents: 847

hopeIDS ...................... ✅ v1.3.3
  Analyzer: ✅ ready
  Models: 3 loaded

jasper-context-compactor ...... ✅ v0.2.2

Overall: 3/3 healthy

Integration

After installing, tools auto-register with OpenClaw:

{
  "extensions": {
    "jasper-recall": { "enabled": true },
    "hopeIDS": { "enabled": true },
    "jasper-context-compactor": { "enabled": true }
  }
}

Links

Comments

Loading comments...