ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

@openclaw/interchange

v1.0.0

Shared .md interchange library for OpenClaw skills — atomic writes, deterministic serialization, YAML frontmatter, advisory locking, and schema validation. T...

0· 541·0 current·0 all-time
by@frank-bot07
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the code: this is a pure-JavaScript library providing read/write/serialize/lock helpers for `.md` interchange files. It has no declared env/credentials and only depends on js-yaml, which is proportionate to the described functionality.
!
Instruction Scope
The SKILL.md usage examples and README are limited to reading/writing .md files and acquiring locks, which is expected. However the runtime code allows writing arbitrary filesystem paths (no root enforcement) and relies on an advisory lock implementation that the included CODEX_REVIEW flags as having TOCTOU and fd-handling issues. That means callers following examples could accidentally overwrite files outside the intended interchange workspace or see broken mutual exclusion under contention.
Install Mechanism
There is no install spec for the skill (instruction-only), and package.json shows only a small dependency (js-yaml) and dev-dep (vitest). No remote downloads or opaque install steps are present in the bundle, which keeps install risk low.
Credentials
The package declares no required credentials or env vars. It does read process.env.INTERCHANGE_ROOT (and falls back to HOME). That is reasonable, but because the code will read/write arbitrary paths, you should set INTERCHANGE_ROOT to a dedicated directory before use. No secrets/external service tokens are requested.
Persistence & Privilege
The skill does not request persistent platform privileges (always: false). It does not modify other skills' configs or require unusual system privileges. Its threat surface is limited to filesystem I/O within whatever paths it is pointed at.
Scan Findings in Context
[codex:lock-toctou] unexpected: CODEX_REVIEW.md flags a TOCTOU race in stale-lock cleanup (two waiters may both detect a dead PID and both unlink/replace the lock). Advisory locking should aim for exclusivity; this race undermines mutual exclusion and is not expected behavior for a locking helper.
[codex:lock-fd-leak-and-unlink] unexpected: Reviewer notes the lock FD lifecycle and unlink semantics allow a holder to have its lock file unlinked while still holding the fd, meaning the holder won't necessarily detect a stolen lock. This is an implementation correctness concern for a library that promises advisory locking.
[codex:readmd-regex-crlf] unexpected: CODEX_REVIEW originally reported a fragile frontmatter regex (CRLF and whitespace edge cases). The current io.js normalizes CRLF and uses an improved regex — the presence of the review file indicates this was a known issue. Still, it's a reminder to test cross-platform frontmatter edge cases.
[codex:atomicwrite-exdev] expected: Review points out fs.renameSync is not atomic across different filesystems (EXDEV). This is a known filesystem limitation rather than malicious code; the library places tmp files adjacent to target by default, which mitigates the risk but should be documented.
[codex:indexer-no-lock] unexpected: CODEX_REVIEW highlights indexer functions that call atomicWrite without acquiring locks in all paths (master index rebuild uses atomicWrite with no lock). For an index-maintenance helper this is a correctness/concurrency issue and not expected for robust multi-writer environments.
[codex:path-traversal-write] unexpected: The library accepts arbitrary file paths for readMd/writeMd/atomicWrite without enforcing they live under INTERCHANGE_ROOT. The reviewer calls this out — a skill could be used to write outside the intended workspace (e.g., `../../etc/passwd`) if misused or installed in a context with broad path inputs.
What to consider before installing
This library is coherent with its stated purpose, but treat it as 'not ready for untrusted multi-process use' until fixes are applied. Before installing/use: - Prefer to vendor or audit the code yourself; the bundle includes the full source and an internal code review (CODEX_REVIEW.md) listing critical concurrency issues. - Set INTERCHANGE_ROOT to a dedicated directory (not $HOME or system directories) and run it with least privilege to prevent accidental writes to sensitive paths. - Do not rely on the advisory locking for strict mutual exclusion between untrusted processes; if you need strong locks, replace or augment with OS-level flock()/fcntl or a centralized lock service. - Review/fix the lock cleanup & fd lifecycle code (TOCTOU and fd/unlink semantics) and add path-assertion helpers so writes are constrained to the intended workspace. - Run the included test suite in your environment (especially on Windows/CRLF and concurrent-write tests) and consider additional tests for malicious path inputs. If you are not prepared to audit or patch the library, avoid using it in environments where concurrent writers or sensitive filesystem targets exist.

Like a lobster shell, security has layers — review code before you run it.

latestvk977d9cvmzpfm1hpj9f35m8fyx81hj1e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments