ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

boc init

v1.0.1

博云BOC容器平台 部署机初始化工具。自动完成部署机环境检查、部署包校验、解压和 bocctl init 初始化。使用场景:用户需要初始化 BOC容器平台 部署机时使用。

0· 102·0 current·0 all-time
byRick@hongruiji

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hongruiji/boc-init.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "boc init" (hongruiji/boc-init) from ClawHub.
Skill page: https://clawhub.ai/hongruiji/boc-init
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install boc-init

ClawHub CLI

Package manager switcher

npx clawhub@latest install boc-init
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes initializing a BOC deployment host and the runtime steps (checks, checksum, unpack, bocctl init) are consistent with that purpose. However README refers to a scripts/boc_init.js that is not present in the bundle, and SKILL.md references other skills (rssh2, ssh-exec) and optional binaries that are not included. The absence of the promised automation script is an inconsistency.
!
Instruction Scope
The instructions require remote SSH credentials (user-supplied) and tell an operator to run many privileged operations on the target (rm -rf, tar extraction, kill processes, run bocctl init). Those actions are within the stated purpose, but the SKILL.md contains several erroneous or suspicious command examples: 'nohup cd ...' (no-op), an odd sha256 command that writes to /tmp and expects a Chinese '成功' string, a typo 'pa aux' instead of 'ps aux', and incorrect guidance for installing sshpass (suggests 'pip install sshpass -g'). The doc also recommends downloading a Windows sshpass binary from an external GitHub release URL without checksumming it. These errors and the external-download guidance increase risk and reduce trustworthiness.
Install Mechanism
There is no formal install spec (instruction-only), which is lower risk. However the text advises downloading an sshpass binary from a GitHub release (third-party binary) and installing tools (node, python) to enable other skills — those are ad-hoc instructions outside the package and could introduce risk if followed without verification.
Credentials
The skill does not request environment variables or stored credentials from the platform; it expects the user to supply SSH host/user/password parameters which are reasonable for remote-init tooling. There are no hidden credential requests in the bundle. Still, feeding root passwords to a skill from an untrusted source is inherently sensitive.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges or persistent presence. It's user-invocable and can be called autonomously by the agent (default), which is normal; there is no evidence it modifies other skills or system-wide agent settings.
What to consider before installing
This skill's high-level purpose matches its instructions, but several inconsistencies and risky recommendations mean you should proceed carefully: - Do not run these commands verbatim on a production host. The SKILL.md contains typos and incorrect commands (e.g., 'nohup cd', 'pa aux', odd sha256 usage). - The bundle references an automation script (scripts/boc_init.js) that is missing. Ask the publisher for the actual script/source before trusting automation. - The doc suggests downloading an sshpass binary from a third-party GitHub URL. If you need sshpass, verify the URL, checksum/signature, and the publisher's identity before downloading; prefer SSH key-based authentication rather than a password. - Validate the deployment package and any binaries manually (verify checksums, run in an isolated/test environment first). - If you will provide root SSH credentials, prefer ephemeral test accounts or key-based access with least privilege; avoid supplying secrets to unknown/unsigned skills. - Request the skill's source or homepage and a maintainer contact; if unavailable, treat the missing script and erroneous commands as a warning sign and consider implementing the steps yourself or using a known, vetted tool. If you want, I can: (1) extract all the problematic command examples and show corrected versions, (2) produce a safe checklist to run these steps manually, or (3) draft specific questions to ask the publisher to resolve the missing/misleading pieces.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fqqe2wcaqp8v8qd4a19gbcx83qhgx
102downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Rick@hongruiji
latest
Download

BOC 部署机初始化

自动化完成 博云BOC容器平台 部署机的初始化工作。

输入参数

参数说明示例
deploy_pkg_dir部署包和校验文件所在目录/opt
deploy_pkg_file部署包文件名BOC.tar.gz
ssh_host部署机IP<部署机IP>
ssh_portSSH端口22
ssh_userSSH用户名root
ssh_passwordSSH密码Password

工作流程

1. 环境检查

连接部署机并检查:

  • 主机名
  • 操作系统版本
  • 内核版本
  • DNS配置
  • 磁盘空间(/var 目录至少50GB)
  • 部署包是否存在

2. 部署包校验

执行 SHA256 校验:

nohup cd <deploy_pkg_dir> && sha256sum <deploy_pkg_file>.sha256 > /tmp/sha256sum-<deploy_pkg_file>.txt

定期检查校验结果

cat /tmp/sha256sum-<deploy_pkg_file>.txt

判断标准: 结果中有 "<deploy_pkg_file>: 成功"

3. 解压部署包

重要:解压前需先清理旧目录,避免残留文件导致问题:

# 解压前先清理旧目录
cd <deploy_pkg_dir>
test -d BOC_k8s_noarch && rm -rf BOC_k8s_noarch

# 后台执行解压(30GB文件预计15-20分钟)
nohup tar -xzf <deploy_pkg_file> > /tmp/unpack.log 2>&1 &

# 定期检查解压,通过进程判断
## 1 检查是否有以下进程,有就代表还在解压
ps aux |grep 'tar -xzf <deploy_pkg_file>'

## 2 没有就再检查/opt/BOC_k8s_noarch  占用空间正常应该在 31GB
du -sh /opt/BOC_k8s_noarch

4. 验证解压结果

解压后的正确目录结构:

/opt/BOC_k8s_noarch/
├── bocctl           # 主程序
├── bocctl_lib       # 库文件
├── images           # 镜像文件
├── packages         # 安装包
├── playbooks        # Ansible playbook

5. 执行 bocctl init

后台执行初始化(预计15-20分钟):

cd <deploy_dir>
nohup ./bocctl init > /tmp/bocctl_init.log 2>&1 &
# 定期检查bocctl 进程是否存在,如存在代表init 还在进行
# 也一块检查执行日志
pa aux |grep bocctl 
tail -n 20 /opt/BOC_k8s_noarch/log/bocctl.log

6. 验证初始化完成

判断标准:使用 nerdctl ps 检查以下两个容器是否正常运行:

nerdctl -n k8s.io ps | grep -E "(yum_registry|bocloud_deploy_registry)"

预期输出应包含:

  • yum_registry 容器 - 运行中
  • bocloud_deploy_registry_k8s 容器 - 运行中

使用示例

请使用 boc-init 初始化部署机:
- 部署包目录:/opt
- 部署包文件:BOC.tar.gz
- 部署机IP:10.50.6.181
- SSH端口:22
- SSH用户:root
- SSH密码:password

输出

  • 部署机初始化完成状态
  • 初始化后关键组件状态:
    • ansible 版本
    • nerdctl 容器运行状态(yum_registry 和 bocloud_deploy_registry_k8s)
    • containerd 服务状态

常见问题

Q: 解压后目录结构异常

A: 重新执行解压,确保先删除旧目录

Q: bocctl init 卡住不动

A: 检查是否有 yum 进程卡住,如有则杀掉后重试

Q: 忽略./bocctl 参数参考

A:忽略./bocctl 参数参考,只使用./bocctl init 。不需要远程初始化部署,只用本地初始化。

Q: 本地执行前置条件

A: 需要安装node 才能使用rssh2 skill 需要安装python 才能使用ssh-exec skill windows 系统需要安装git for windows

Q: ssh 使用密码连接问题解决

A: 如果安装了python ,优先使用ssh-exec skill 如安装了node ,优先使用rssh2 skill 先检查操作系统中是否有sshpass ,没有就参考以下处理: windows下sshpass 从 https://github.com/xhcoding/sshpass-win32/releases/download/v1.0.7/sshpass.exe 下载使用 Linux 下使用pip install sshpass -g 进行安装

Comments

Loading comments...