Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (蜀宁 OA 工时管理) matches the supplied scripts: login, list projects, submit/query/update time entries. However the registry metadata provided earlier lists no required binaries or env vars, while the SKILL.md and code explicitly require openssl (used to decrypt .enc credentials) and an OA_ENC_KEY. This mismatch is an incoherence in the declared requirements.
Instruction Scope
Runtime instructions and scripts stick to OA tasks (login, captcha solve, session creation, POST/PUT/GET calls to /sn/* endpoints). They read a credentials file (plaintext or .enc), decrypt with openssl if needed, and send tokens to the OA base URL. Two items to note: (1) captcha recognition pipeline uses OCR output that is sanitized then passed to eval() to compute arithmetic results — this relies on sanitization and is a potential code-injection risk if OCR or input is tampered; (2) scripts call external network endpoints (the user's OA system) and will transmit username/password and tokens as part of normal operation, which is expected for this skill but worth being explicit about.
Install Mechanism
No install spec (instruction-only) — the skill ships Python scripts that run in-place and perform runtime bootstrap (re-exec into a Python interpreter with required modules). This is lower risk than arbitrary remote installers, but the runtime_bootstrap will execve other Python binaries on disk and the scripts call subprocess.run for openssl; those behaviors are expected for the shipped code but give the skill the ability to execute local binaries.
Credentials
The skill requires access to OA credentials (username/password/base URL/default project) and supports encrypted credential files decrypted with OA_ENC_KEY or a file at ~/.openclaw/workspace/.cache/oa_enc_key. Those secrets are appropriate for an OA integration, but the registry metadata omitted declaring OA_ENC_KEY and required openssl — this discrepancy is concerning (either packaging omitted required secret declarations, or the skill silently depends on secrets/binaries not recorded). Requiring environment-held decryption keys and reading credential files is sensitive and should be explicitly declared.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not persist beyond its own files. It does re-exec into available Python interpreters (runtime_bootstrap) but that behavior is local to the process and documented in SKILL.md.
What to consider before installing
This skill's functionality (login, list, submit, query, update) is coherent with its code, but there are some things to check before installing:
- Confirm the missing declarations: SKILL.md and code require openssl and an OA_ENC_KEY (or a cached key file), yet the registry metadata listed no required binaries or env vars. Ask the author or maintainer to correct the registry metadata if you need explicit declarations for review/audit.
- Protect credentials: the skill reads a credentials file (~/.openclaw/workspace/memory/sn-work-record-credentials.md) which may be plain or .enc. If you use encryption, ensure OA_ENC_KEY is provided securely and file permissions restrict access (chmod 600). Prefer using .enc and providing the key only in a secure way.
- Evaluate the OCR handling: the captcha solver strips non-digit/operator characters then eval()s the expression. This is fragile — if the OCR output is malicious or the OA endpoint is compromised to return crafted captcha strings, eval could run unexpected code. If you will run this in a sensitive environment, review/modify the code to compute arithmetic safely (e.g., parse the expression into numbers/operators rather than eval).
- Check openssl availability: the code calls openssl via subprocess to decrypt files; ensure openssl on your system is the expected binary (absolute path if you want extra safety) and that using subprocess is acceptable in your environment.
- Network scope: the scripts will send credentials and tokens to the OA base URL you supply — confirm the base URL points to your internal OA server and not an untrusted external host.
- Run in isolation first: test in an isolated account/container with test OA credentials before using with real accounts.
If you are uncomfortable with any of the above or with the metadata mismatch, treat the skill as untrusted until the author clarifies and/or you harden the deployment (restrict files, review/patch eval usage, set explicit bin paths).scripts/oa_utils.py:126
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97b3pc1sqzgs3gnkkkadxre5x84ms4h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.