Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Safety Scanner
v1.0.0Scan your installed ClawHub skills for dangerous code patterns — credential harvesting, shell injection, unauthorized network calls, and known malicious sign...
⭐ 0· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the actions: it runs a local OpenClaw audit and formats results. However the SKILL.md mixes tooling names (openclaw security audit vs clawhub uninstall) — this may be benign (two CLIs for related functionality) but you should confirm both commands exist on your system and are the correct managers for installed skills.
Instruction Scope
Instructions tell the agent to run `openclaw security audit --deep --json`, parse JSON, read every installed skill under ~/.openclaw/workspace/skills, show evidence, and (optionally) run `clawhub uninstall` + `rm -rf`. Those actions require reading arbitrary skill source files. The doc repeatedly claims 'zero network calls' and 'no data leaves your machine', but the scheduling example stores results 'to memory' (agent memory) — if the platform syncs memory to a cloud service, that could leak scan output. Verify where 'memory' is stored and whether 'openclaw cron add' actually persists prompts externally.
Install Mechanism
Instruction-only skill with no install spec and no code files — low install risk. It executes existing local CLIs; nothing is downloaded or written by default.
Credentials
No environment variables, credentials, or config paths are declared or required. The skill does instruct reading installed-skill files (under ~/.openclaw/workspace/skills), which is proportional to auditing purposes but means the scanner will inspect any secrets present in skill code — expected, but worth knowing.
Persistence & Privilege
The skill itself is not always-enabled. However the SKILL.md encourages creating a cron job via `openclaw cron add` that runs the scan automatically and (in the example) writes results to 'memory'. That creates persistent scheduled runs and stored outputs; if your agent platform persists or syncs memory to external services, scheduled runs and stored scan reports could leak sensitive info. Also automated removal commands (rm -rf) are destructive if misapplied — the skill does say to ask confirmation, but automated workflows increase risk.
What to consider before installing
This instruction-only skill is largely consistent with its stated purpose (running the local OpenClaw scanner and formatting results), but check a few things before using it:
- Confirm the CLIs: make sure `openclaw` and `clawhub` are the correct, expected local tools on your system. The SKILL.md mixes both names; verify `clawhub uninstall` will remove skills safely.
- Run the scanner manually first: run `openclaw security audit --deep --json` yourself and inspect the raw JSON before using any automation from this skill.
- Be careful with scheduling and memory: avoid using the example prompt that reports findings 'to memory' unless you know where memory is stored and that it never leaves your machine. Prefer local-only storage (files) for scan reports.
- Review deletion commands before running: the provided `rm -rf` is destructive. Only use auto-remove after manually verifying evidence.
- Understand data access: the skill will read every installed skill's source (including any secrets embedded there). That is necessary for auditing but means scan outputs may contain sensitive values — handle reports accordingly.
If you want higher assurance: run the OpenClaw audit manually, inspect the SKILL.md content yourself (it is provided), and avoid enabling scheduled/automatic reporting to agent memory or remote services.Like a lobster shell, security has layers — review code before you run it.
latestvk971t8v14v3t2twt68x7rr7zkn84s74z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.