ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HostLink

v0.1.0

Execute commands on the host machine from inside the OpenClaw container via the HostLink daemon. Provides secure, authenticated remote shell execution over a...

0· 49·0 current·0 all-time
by@jebadiahgreenwood
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the runtime instructions: this skill is explicitly for executing commands on the host via a hostlink daemon. Asking for access to the host socket and the ability to run host commands is coherent with that purpose.
!
Instruction Scope
The SKILL.md instructs use of a required secret (HOSTLINK_TOKEN) and host socket paths and tells the user to add that token to openclaw.json or workspace/.env. The registry metadata declares no required env vars or config paths, so the instructions access secrets/configuration that the skill metadata does not advertise. The instructions also enable arbitrary host command execution (including reading /etc, GPU tooling, Docker, etc.), which is expected but high-impact.
Install Mechanism
This is an instruction-only skill (no install spec) so it won’t write code into the container. The setup guide points to a GitHub repo and building/installing host binaries on the host — normal for a host-side daemon, but you should vet the upstream repository and binary before installing on your host.
!
Credentials
Although SKILL.md requires an auth token (HOSTLINK_TOKEN) and suggests placing it in openclaw.json or workspace/.env, the registry metadata lists no required env vars and no required config paths. Requesting a persistent secret (potentially stored in ~/.openclaw/openclaw.json) without declaring it is disproportionate and a metadata mismatch. Storing the token in a global agent config grants ongoing host-execution capability to the agent if invoked.
!
Persistence & Privilege
always:false (good), but the skill is user-invocable and the platform allows autonomous invocation. If the HOSTLINK_TOKEN is placed in agent configuration (as the guide suggests), the agent would have persistent credentials enabling arbitrary host command execution. That combination (autonomous invocation + undisclosed persistent secret) materially increases risk.
What to consider before installing
This skill legitimately provides host command execution — which is powerful and risky. Before installing or enabling it: - Treat HOSTLINK_TOKEN as a high-value secret. Do NOT store it in global config files unless you understand the risk; prefer ephemeral or workspace-scoped secrets and avoid committing it to disk or git. - The registry metadata is inconsistent: it does not declare the required HOSTLINK_TOKEN or config path it expects. Ask the publisher to correct metadata or do not trust automatic installation. - Vet the hostlinkd repository/binary (https://github.com/jebadiahgreenwood/hostlink) before installing on your host; build from source if you must, and review the code for privilege escalation/backdoors. - Run hostlinkd as a least-privileged user where possible; do not run it as root unless you accept the risk. - Limit socket access (unix_mode, group membership) and avoid enabling TCP unless protected by WireGuard and strict network controls. - If you enable this skill for an agent, restrict autonomous invocation or remove the token from global agent configs; consider requiring explicit human confirmation for any host-executed command. - Rotate the auth token after any change, and monitor hostlinkd logs for unexpected commands. Given the metadata/instruction mismatch and the ability to run arbitrary host commands, proceed only if you fully trust the daemon, the repo, and the people who will control the agent.

Like a lobster shell, security has layers — review code before you run it.

bridgevk975zdfgar7t46kgchk11671d5847k4ddockervk975zdfgar7t46kgchk11671d5847k4dexecvk975zdfgar7t46kgchk11671d5847k4dhostvk975zdfgar7t46kgchk11671d5847k4dlatestvk975zdfgar7t46kgchk11671d5847k4dlocalvk975zdfgar7t46kgchk11671d5847k4dshellvk975zdfgar7t46kgchk11671d5847k4d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments