Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Starter Pack
v1.0.0One-click install curated skill packs for new OpenClaw users. Use when user says "install starter pack", "setup skills", "一键安装", "新手套餐", "install essential/d...
⭐ 0· 150·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the provided behavior: a script that installs curated packs of skills. However, the SKILL.md and script require the external 'clawhub' CLI (or npx to run it), yet registry metadata lists 'Required binaries: none' — a mild inconsistency. Also the packs include high-capability skills (e.g., proactive-agent, self-improving) whose effects users should understand before bulk-installing.
Instruction Scope
Runtime instructions are limited: locate clawhub (or use npx), then run the provided Python installer which sequentially runs 'clawhub install <skill>'. The instructions do not ask the agent to read unrelated files or environment variables. They do require network access to clawhub.ai and may pull additional installation steps required by individual skills (some of which require external CLIs or auth).
Install Mechanism
No formal install spec in registry (instruction-only), but the included script uses shutil.which to call a global 'clawhub' CLI or falls back to 'npx clawhub'. Using npx means the installer will download and execute code from the npm ecosystem at runtime — a moderate risk. This is expected for an installer, but it is a point of increased trust: running the script triggers network package fetches and execution.
Credentials
The skill declares no required environment variables or credentials. SKILL.md notes that some included skills may need external CLIs or authentication (e.g., 'github' needs gh CLI auth, 'summarize' needs summarize CLI) — those are stated as optional per skill. No unexpected secrets are requested by this skill itself.
Persistence & Privilege
always:false and default agent invocation are set (normal). A precaution: installing packages that grant agent autonomy (proactive-agent, self-improving, decide, agent-memory-architect) increases the agent's capabilities and, when combined with autonomous invocation, enlarges the blast radius. This is a contextual risk rather than a metadata misbehavior.
What to consider before installing
What to consider before installing:
- The included Python script will run 'clawhub install' (or 'npx clawhub install') for many skills. Ensure you trust clawhub.ai and the clawhub npm package because using npx will fetch and execute code from the network.
- The registry metadata omitted that 'clawhub' is required; make sure you have a trusted clawhub binary installed (or inspect the remote package before using npx).
- Review the individual skills listed (especially proactive-agent, self-improving, decide, and agent-memory-architect). They increase agent autonomy and/or persistent memory — only install these if you understand their behaviors and trust their authors.
- If you want to be cautious: run the installer in an isolated environment (container or VM), or manually run 'clawhub install <skill>' for each skill after reviewing its SKILL.md and source.
If you want me to, I can: (a) fetch and summarize the clawhub npm package contents (if you provide network access), (b) produce the exact 'clawhub install' commands the script will run for a chosen pack, or (c) help review any particular skill listed here in more detail.Like a lobster shell, security has layers — review code before you run it.
latestvk97crsr3pcaqbgzxxb52nhfzyx832dff
License
MIT-0
Free to use, modify, and redistribute. No attribution required.