ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawpilot

v1.0.1

Clawpilot is your skill installation advisor. It analyzes task intent, recommends suitable skills, compares tradeoffs, explains risk, and suggests an install...

0· 84·0 current·0 all-time
byhaidong@harrylabsj
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (installation advisor) align with provided files: a local intent map, a local skill DB, and a rule-based recommender. The skill does not request unrelated credentials or binaries and only needs a Python3 runtime as declared.
Instruction Scope
SKILL.md and handler.py limit behavior to: parse a user query, match keywords against the shipped intent map, consult the shipped skill DB, and generate a markdown report. Runtime instructions/CLI examples invoke handler.py locally; there are no instructions to read unrelated system files, call external endpoints, or exfiltrate data.
Install Mechanism
No install spec is provided (instruction-only). There are only local data files and scripts; nothing is downloaded or extracted from external URLs. This is the lowest-risk install model.
Credentials
The skill declares no required environment variables, no credentials, and no config paths. The code only opens the two local JSON data files. There is no disproportionate request for secrets or unrelated access.
Persistence & Privilege
The manifest does not request always:true and the skill does not modify other skills or system configuration. It is an on-demand advisor with no forced persistent privileges.
Assessment
This skill appears coherent and low-risk: it runs locally (Python3) against the included JSON data files and only gives recommendations. Before installing, verify you are comfortable running the bundled Python script and optional test.js (the test uses node to spawn python3). Inspect the shipped data files (data/intent-map.json and data/skill-db.json) if you want to confirm the intent mappings and risk labels reflect your expectations. No credentials or network downloads are requested, and v1 explicitly does not auto-install other skills. If you need stronger guarantees, run the tests in an isolated environment (or inspect the code) and confirm your runtime has only trusted interpreters (python3/node).
test.js:21
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

advisorvk976n1cwzfvpxeb3abvmc96xrd841mqxinstallationvk976n1cwzfvpxeb3abvmc96xrd841mqxlatestvk976n1cwzfvpxeb3abvmc96xrd841mqxrecommendationvk976n1cwzfvpxeb3abvmc96xrd841mqxskillvk976n1cwzfvpxeb3abvmc96xrd841mqxskill-radarvk976n1cwzfvpxeb3abvmc96xrd841mqx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments