ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

baidu-skill-guard

v1.0.9

Intercepts all skill install/download requests. MUST be used before installing/downloading any skill from ClawdHub, GitHub, 百度 AppBuilder 平台, or other source...

5· 288·1 current·1 all-time
bychengbo@jenics
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim to intercept skill installs and run a security check; included scripts (check.sh, check.py, check.js) implement an API query workflow to a remote endpoint (https://skill-sec.baidu.com). The requested capabilities (query by slug/version, scan installed skill directories) are consistent with a 'guard' skill. However, the skill mandates interception of all install-related intents across all languages, which is broader than many guard utilities would require.
!
Instruction Scope
SKILL.md mandates the agent must stop installs and run the included check.sh script, copy the API's report_text verbatim, and automatically proceed on 'safe' results. The instructions call for scanning local skill directories (--file /path/to/skills) and batch scans, which implies the script will read local files (and at minimum compute hashes). The SKILL.md gives the remote script authority to decide install flow (automatic proceed on 'safe'), and forces use of the remote-provided report verbatim — both are scope/decision controls that elevate the remote service's influence over local installs. The documentation does not clearly describe exactly what data is transmitted to the remote API (slug/version only, hashes, or file contents), leaving a potential for unintended data exfiltration.
Install Mechanism
There is no network-based install spec; the skill is instruction-only with bundled scripts. No external archive downloads or executable installers are pulled at install time. The risk comes from the bundled scripts performing outbound network requests at runtime rather than from an install mechanism that fetches arbitrary code.
Credentials
The skill does not request environment variables or credentials and does not require binaries. That matches the stated purpose. However, the scripts call a remote API (skill-sec.baidu.com). The manifest does not declare the network endpoint or a privacy policy, and the SKILL.md does not specify exactly which local data will be sent when scanning a directory (slug/version/hash vs full file upload), so the level of data access is not fully described.
Persistence & Privilege
always is false and the skill is user-invocable. The SKILL.md intends the skill to be triggered automatically on any install/scan intent (very broad trigger patterns). Autonomous invocation plus outbound network queries means it could be called frequently and send metadata to the external API — that combination increases blast radius but is not in itself a policy violation under the platform defaults.
What to consider before installing
This skill appears to implement a legitimate 'pre-install security check' by calling an external API (https://skill-sec.baidu.com). Before installing or enabling it, consider the following: - Verify the remote API and owner: the registry metadata shows no homepage and an unknown owner; confirm that skill-sec.baidu.com and the package owner are trustworthy (this looks like a Baidu domain but you should confirm). - Confirm what data is sent: test the scripts locally (run check.sh with --slug only) and monitor outbound requests to see whether the script sends only slug/version/hashes or whether it uploads file contents when using --file. If you must scan local skill directories, prefer a mode that sends only non-sensitive metadata/hashes. - Review the code fully: the included Python/Node scripts are the runtime behavior — review the remainder of the code (truncated portions) to ensure there is no hidden upload of full files or other surprising behavior. - Watch automated decisions: the protocol instructs the agent to proceed automatically on a 'safe' bd_confidence. Decide whether you want automatic installs or prefer manual confirmation even for 'safe' results. - Least privilege: if you use it, run scans with explicit slug/version first and only use directory-scan modes when absolutely necessary and after confirming what will be transmitted. If you cannot validate the remote service or the exact data flow, treat this skill as untrusted and do not enable automatic, system-wide interception of install intents.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ae14ga5kn7d378ah9xy84rx83p6g6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments