Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawLock
v2.2.1ClawLock — 综合安全扫描、红队测试与加固工具,支持全平台。 当用户明确要求安全扫描、安全体检、安全加固时触发: 「开始安全体检」「安全扫描」「检查 skill 安全」「安全加固」「探测实例」 「scan my claw」「security check」「drift detection」「red team...
⭐ 1· 93·0 current·0 all-time
byg0at@g1at
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and SKILL_EN.md describe a comprehensive local security scanner, red-team tester, and hardening toolkit — which justifies scanning local Claw configs, detecting risky env vars, and optionally running red-team flows. However, the registry-level metadata provided to the platform says there are no required binaries/env vars, while the SKILL.md lists a pip package 'clawlock' and a 'clawlock' binary (and optional promptfoo). This mismatch between registry metadata and the embedded skill manifest is an inconsistency that should be clarified.
Instruction Scope
The instructions reasonably direct the agent to read Claw configuration files, environment variables (e.g., NODE_OPTIONS, LD_PRELOAD), run local static checks, and optionally truncate and send code snippets to an LLM if the user enables --llm. Concerningly, the skill explicitly instructs the agent to perform online version checks, run 'pip install -U clawlock' if the user agrees, and fetch/replace local SKILL.md files from the GitHub repo as part of an update flow. Those update steps permit network downloads and file replacement of the skill itself and rely on the agent executing package-install commands — a high-impact capability that exceeds ordinary read-only scanning and requires explicit, cautious user consent.
Install Mechanism
This is an instruction-only skill (no bundled code), but the SKILL.md tells the agent to install or update a PyPI package via pip and to pull skill files from a GitHub repo. Pip installs from PyPI and fetching files from GitHub are common, but without recommended integrity checks (signatures, checksums) and when performed automatically inside a conversation, they present supply-chain risks. The skill also suggests running optional Node/promptfoo red-team tooling (npx/promptfoo) which would execute third-party code if enabled.
Credentials
The skill does not request unrelated credentials or secret environment variables in the registry metadata. It documents that certain online features require an LLM API key (--llm + API key) or Node.js for promptfoo, and it explicitly states what data would be sent when those optional features are enabled (truncated code snippets, prompts). Reading risky env vars (NODE_OPTIONS, LD_PRELOAD, etc.) for detection is proportionate to a security scanner.
Persistence & Privilege
always:false (no forced global inclusion). The main privilege concern is that the skill's runbook asks the agent to perform package updates and overwrite local skill files when the user agrees — actions that modify disk and install/execute third-party code. This is a powerful capability but is explicit in the instructions and tied to user approval; it should be gated by explicit confirmation and optional safeguards.
What to consider before installing
Before installing or running this skill: (1) Clarify the metadata mismatch — confirm whether the platform registry should list 'clawlock' as a required binary/package. (2) Treat any in-conversation 'pip install -U clawlock' or automatic skill-file replacement as a supply-chain action: only proceed with explicit user approval, ideally after verifying the PyPI package author, reading its release notes, and checking checksums/signatures if available. (3) Disable optional online features (LLM red-team, promptfoo) unless you explicitly want them; they will run third-party code and may transmit truncated code or prompts. (4) Prefer performing updates manually or in a sandboxed environment if you do not trust automatic in-conversation installs. (5) If you need higher assurance, ask the skill author for an integrity mechanism (signed releases, package hashes) and for the exact GitHub raw URLs used to fetch skill files before allowing automatic replacement.Like a lobster shell, security has layers — review code before you run it.
latestvk97a26kj9fq1h0y6dsvbfkht0n84bv5x
License
MIT-0
Free to use, modify, and redistribute. No attribution required.