Skillv2.0.3

ClawScan security

Agentplace · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 5:04 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (a marketplace installer) is coherent, but the runtime instructions omit important safeguards and the registry metadata doesn't match the commands the skill tells the agent to run — proceed cautiously and verify before using.
Guidance: The skill appears to do what it says (a marketplace installer) but has several practical and safety issues you should consider before installing or using it: - Metadata mismatch: The instructions call curl, zipinfo, unzip and write into ~/.openclaw/workspace/skills, but the registry declares no required binaries or config paths. Ensure the runtime environment has the necessary tools and be aware of this discrepancy. - Unverified downloads: The workflow downloads ZIP archives from external CDN hosts but provides no checksum/signature verification. An attacker who controls the CDN or a compromised package could deliver malicious code. Prefer marketplaces that publish signed releases or checksums, or insist on validating hashes before extraction. - Unsafe extraction: The recipe uses unzip -qo and then moves the contents into your skills directory. That can silently overwrite existing files, and ZIP archives can include path-traversal entries (../) or symlinks. Before extraction, inspect zipinfo output carefully and never use quiet overwrite in untrusted scenarios; extract to an isolated temp directory and scan the contents. - API key handling: Paid agents require an API key. The skill does not declare a primaryEnv; confirm how the key will be supplied, that it won't be logged or put into shell history, and store it securely. - Preview limitations: The instructions preview SKILL.md and list files, which is good, but you should also inspect binaries or scripts in the archive for unexpected network calls or privileged operations before final confirmation. Recommendations: only use this skill if you trust the Agentplace domain, run installations into a disposable or sandboxed environment first, require explicit non-overwriting install behavior, demand checksum or signature verification for downloads, and treat paid-agent API keys as secrets (enter interactively into a secure prompt or store in a secret manager rather than exposing them on command lines).

Review Dimensions

Purpose & Capability: concernName and description match the instructions (browse, preview, download, install agents). However the SKILL.md relies on local commands (curl, zipinfo, unzip, mv) and writes to ~/.openclaw/workspace/skills, while the registry metadata declares no required binaries and no required config paths — an incoherence between declared requirements and the actual operations the instructions assume.
Instruction Scope: concernInstructions perform network downloads and write extracted archives into the user's workspace, which is expected for an installer, but they give broad filesystem-write steps (unzip -qo; mv into ~/.openclaw/workspace/skills) without describing safety checks. There are no protections shown for zip path traversal, symlinks, overwriting existing skills, or for scanning binaries in the archive. The skill also references an API key for paid agents but doesn't mandate how it will be supplied (env vs prompt).
Install Mechanism: concernThis is instruction-only (no install spec) which is low-risk in one sense, but it instructs downloading ZIPs from external hosts (cdn.agentplace.sh) and extracting them locally with no integrity verification (no checksum or signature), and uses unzip -qo (quiet overwrite). Download+extract from external CDN without integrity checks is a material risk and should be hardened.
Credentials: noteSKILL.md documents a paid-agent API key (format ak_xxxxxxxx) and shows using an x-api-key header, but the skill's registry metadata declares no required env vars or primary credential. It's plausible the design expects interactive prompting for a key, but the metadata/instructions are inconsistent and the presence of a key used for downloads should be declared and handled carefully (secure storage, not echoed, not placed in command history).
Persistence & Privilege: noteThe skill is not always-enabled and does not request elevated platform privileges, which is appropriate. It does modify the user's workspace by adding/moving files into ~/.openclaw/workspace/skills/<agent-id>, and the provided steps may overwrite existing directories silently. This write-to-home behavior is expected for an installer but should include safeguards (confirmations, backups, non-overwriting install options).