Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Background Download
v1.0.0Asynchronous background download with retry, status tracking via Ontology, notifications to original channel. Supports resume on broken connections.
⭐ 0· 34·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (background, resume, retry, ontology tracking, notifications) align with the code and SKILL.md. Requiring an ontology skill and a message/CLI for notifications is expected for the described behavior. The need for curl/wget is justified.
Instruction Scope
The SKILL.md and code instruct the agent to create and update DownloadTask entities and to send notifications to the original channel — all consistent. However, the runtime instructions and code execute many shell commands (calling an ontology script, performing curl, invoking 'openclaw message send') and interpolate user-supplied strings into shell commands without escaping. The code also double-forks to create detached background processes. These behaviors expand the runtime scope considerably and introduce injection and operational risks that are not called out in the SKILL.md.
Install Mechanism
No install spec; the skill is instruction-plus-code only. Nothing is downloaded from external URLs during install. This is low install risk, but the code will execute commands at runtime.
Credentials
The skill declares no env vars, which is consistent. But it assumes a specific local path for the ontology script (~/.openclaw/.../ontology/scripts/ontology.py) and uses the 'openclaw' CLI; these implicit dependencies and path assumptions grant it access to local agent memory and messaging. Notifications include URLs and paths which could leak sensitive info to channels. The skill accepts arbitrary URL/path/channel inputs which are directly interpolated into shell commands — disproportionate risk relative to a simple downloader unless inputs are strictly validated/escaped.
Persistence & Privilege
The skill forks detached background processes to perform downloads and relies on scheduled cleanup/archiving. It does not request 'always: true' or modify other skill configs, but the background process model means the skill will run independently of the parent session. This is expected for background downloads but increases the blast radius if the code is abused (e.g., to download arbitrary content or perform repeated network calls).
What to consider before installing
This skill appears to do what it claims (background downloads tracked in Ontology and notifications), but its implementation is risky rather than malicious. Key concerns to check before installing:
- The code builds shell commands (ontology invocation, curl, openclaw message) by concatenating user-provided strings without escaping — this is vulnerable to shell injection. Review and/or patch the code to use argument lists or proper escaping (e.g., shlex.quote) and avoid shell=True.
- The script assumes a hard-coded ontology script path under ~/.openclaw/...; confirm that this path is correct and that the referenced ontology CLI is trusted and safe.
- Notifications include URL and file path information — decide whether that could leak sensitive URLs or filesystem locations to channels.
- Background processes persist outside the agent session; run this skill in a restricted environment or with limited filesystem/network permissions if possible.
- If you plan to let other skills call start_download programmatically, ensure callers cannot pass malicious values for 'url', 'path', or 'channel'.
If you cannot audit and harden the code (escape shell args, validate inputs, or call the ontology/openclaw APIs safely), treat this skill as unsafe to enable in production.Like a lobster shell, security has layers — review code before you run it.
latestvk979n6mawbcs03fd8dtyrbk8xd8458px
License
MIT-0
Free to use, modify, and redistribute. No attribution required.