Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
openclaw-agentlog
v1.1.2OpenClaw Agent 自动存证与 Trace 生命周期管理 Skill。 提供给 OpenClaw Agent 使用,实现: 1. 自动会话存证 - 通过 OpenClaw Hooks 自动记录 agent 活动 2. Trace 生命周期 - 管理 trace 的创建、认领、完成流程 When to a...
⭐ 0· 47·0 current·0 all-time
by@hobo0cn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The declared purpose (agent session logging and trace handoff) aligns with many code behaviors (creating traces, writing sessions.json, capturing tool calls). However the package metadata claimed 'instruction-only' while the bundle includes executable code (postinstall script, install.sh, patch_dist.py) that modifies OpenClaw's global installation and the host filesystem. That degree of modification (hot-patching dist files under global node_modules, restarting services) is more intrusive than the SKILL.md/registry metadata suggests and not clearly justified in the manifest.
Instruction Scope
SKILL.md describes hooks, env vars, and sessions.json usage but does not document the install-time behaviors present in the code: automatic backup/patch of OpenClaw dist files, rsync/ssh synchronization to remote host, and postinstall hot-patching during npm install. The runtime code also executes git commands (git rev-parse), reads/writes files inside a repository's git common-dir (agentlog/sessions.json), and sets environment variables — actions that read/modify user repositories and system files beyond simple logging.
Install Mechanism
There is no declared install spec in registry metadata, yet package.json defines a postinstall script (scripts/postinstall.js) that will run automatically on npm install and attempts to patch global OpenClaw dist directories. Additionally install.sh can rsync to a remote host and run ssh commands and systemctl restarts. These behaviors are high-risk because they modify installed software and system services and run without an explicit curated install declaration in the registry metadata.
Credentials
The skill's documentation references environment variables (AGENTLOG_BACKEND_URL, AGENTLOG_MCP_URL, AGENTLOG_AGENT_ID) but the registry metadata lists no required env vars. The code will use those env vars (and defaults to http://localhost:7892). Because BACKEND_URL is configurable, a maliciously set BACKEND_URL could exfiltrate captured sessions/traces. The skill does not request cloud credentials, but it does read/write git repo files and interact with the filesystem — capabilities that are plausible for trace handoff but should be explicitly declared.
Persistence & Privilege
The plugin registers hooks (normal for a skill) but also includes scripts that modify OpenClaw's core dist JS files and restart the gateway service. Modifying the core dist bundle gives long-lived, system-wide influence over OpenClaw behavior beyond the plugin's own code. Although always:false (not force-enabled), the bundle's ability to patch runtime code and persist changes in global node_modules is a significant privilege and should be treated carefully.
What to consider before installing
This package is suspicious because it claims to be instruction-only but includes code that will automatically patch your OpenClaw installation and workspace files. Before installing: 1) Do not install on production systems without review. 2) Manually inspect postinstall.js, install.sh, and patch_dist.py (they modify files under global openclaw dist, run git commands, SSH/rsync, and restart services). 3) If you need the skill, run it first in an isolated VM/container and back up your OpenClaw installation. 4) Remove or disable the postinstall hook and do not run install.sh until you verify hosts/paths and understand its SSH usage. 5) Ensure any AGENTLOG_BACKEND_URL points to a trusted service (default is localhost; a remote URL could receive captured session data). 6) Prefer obtaining this functionality from a well-known, trusted source or request the author to provide a non-invasive install path and clearer declaration of required env/config and exact filesystem changes.src/index.ts:169
Shell command execution detected (child_process).
src/index.ts:29
Environment variable access combined with network send.
src/index.ts:181
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk977erypa37kyaws0wk0r24gn984fk2j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.