ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawwork

v1.0.0

Execute tarefas profissionais via ClawWork - transforme Zero em um coworker de IA economicamente viável. Use quando precisar executar trabalhos complexos, ge...

0· 507·0 current·0 all-time
by@felipetruman
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (ClawWork integration to run paid AI tasks) align with the included code (CLI, quick task, shell wrapper). However the registry metadata lists no required environment variables or credentials while the SKILL.md and code clearly expect OpenRouter/OpenAI and E2B API keys in ~/.openclaw/workspace/ClawWork/.env. Also the code uses absolute paths under /home/freedom which may not match a different installation environment.
!
Instruction Scope
SKILL.md and the Python code instruct the agent/user to read and edit ~/.openclaw/workspace/ClawWork/.env, start a local dashboard, and run the CLI. The CLI writes a temporary JSON config under the ClawWork workspace, enumerates local agent data, and imports project modules (agent.live_agent) from the ClawWork codebase. Importing and running those modules may execute arbitrary logic not shown in the skill bundle. The instructions also reference contacting external services (OpenRouter/OpenAI and E2B) — which is coherent with the function but means secrets will be used externally.
Install Mechanism
There is no install spec (instruction-only skill with included code files). That lowers installer risk (no remote downloads), but the bundle expects a Python virtualenv at CLAWWORK_DIR/venv and a larger ClawWork project at ~/.openclaw/workspace/ClawWork which the skill does not install. The wrapper sources the venv and runs local modules — missing setup steps could lead users to run unreviewed code from a different location.
!
Credentials
The code and SKILL.md require sensitive environment variables (OPENAI_API_KEY, OPENAI_API_BASE, and an E2B_API_KEY) but the skill's declared requirements list none and primary credential is unset. Requesting LLM and E2B keys is proportionate to the functionality, but the omission from metadata and the practice of loading a local .env file means secrets may be placed in a file under the user home and consumed by the skill without explicit declaration — a transparency and principle-of-least-privilege issue.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide agent settings. It writes a temporary config file (then deletes it) and reads/writes only under the ClawWork workspace path. No elevated persistence or cross-skill config changes are present in the bundle.
What to consider before installing
This skill largely does what it says (wraps a ClawWork project), but there are important inconsistencies and risks you should consider before installing: - Secrets: The skill expects OPENAI_API_KEY / OPENAI_API_BASE and an E2B_API_KEY stored in ~/.openclaw/workspace/ClawWork/.env, but the registry metadata does not declare these. Do not place high-privilege keys there until you trust the code. Prefer scoped/test keys. - Hardcoded paths: Files use absolute paths under /home/freedom and expect a venv at CLAWWORK_DIR/venv. If your environment differs the code may fail or read unexpected files. Review and adapt paths before running. - Unreviewed imports: The CLI imports agent.live_agent from the ClawWork project directory (not included in these files). That code will run when you execute tasks — inspect the ClawWork project (the referenced GitHub repo) before executing to ensure it doesn't perform unwanted network, filesystem, or credential operations. - Run in isolation first: If you want to try it, run it in a disposable VM or container and use limited-scope API keys. Verify what network endpoints are contacted (OpenRouter/E2B and any other endpoints the ClawWork project contacts). - Metadata fix: Ask the skill author/maintainer to update the registry metadata to declare required env vars (OPENAI_API_KEY, OPENAI_API_BASE, E2B_API_KEY) and to avoid hardcoded user paths. Given the mismatches (undeclared secrets + code that will import external project modules and use them), treat this skill as suspicious until you can review the full ClawWork project and confirm the exact runtime behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk97edfe88ahcw26m010mfacvmn81sfpa

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💰 Clawdis
Binspython3

Comments