ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawscan Vigil

v0.2.0

安装前扫描 OpenClaw Skill 安全风险,静态+动态双重检测,识别恶意代码

0· 151·0 current·0 all-time
by@jjj09090
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name and description (local pre-install scanner) align with the code: static_analysis + restricted dynamic execution + a CLI. However the registry metadata only requires 'python3' and 'pip' while the code imports many third-party Python packages (click, rich, RestrictedPython, tomllib (3.11+), etc.). There is no install spec to ensure those dependencies are installed. This mismatch (declaring only binaries but not Python package deps or an install step) is disproportionate and will cause runtime failures or require manual installation by the user.
Instruction Scope
SKILL.md instructs running scans against local Skill directories and claims scans run fully locally with no uploads. The implementation appears consistent: the dynamic tracer uses RestrictedPython and a mock __import__ to avoid executing real network/file operations. Still, dynamic analysis intentionally skips code containing dangerous constructs (eval/exec, __import__, long loops), so it may produce false negatives for obfuscated or highly dynamic malicious code. The scanner also exposes JSON export and batch scanning features (Premium) that will write output files locally—contradicting any absolute claim that 'no results are collected' if the user requests exports.
!
Install Mechanism
There is no install spec in the registry. The package includes code that depends on multiple Python libraries (click, rich, RestrictedPython, tomllib (py3.11), etc.), but the registry only lists python3 and pip as required binaries. Because the skill doesn't provide an automated install step to install its Python dependencies, installation as-is may fail. Absence of a controlled install step increases friction and the chance users will run ad-hoc pip installs themselves, which expands the attack surface if they use untrusted package sources.
Credentials
The skill does not request environment variables or external credentials. It stores license and usage files under a user directory (~/.clawscan), which is expected for a tool with a local license/quota model. No code paths were found that attempt to exfiltrate code or scanning results externally. Still, the presence of license activation/URLs and multiple placeholder links (e.g., github.com/yourname) is a trust concern: verify the upstream project and URLs before trusting license keys or following external links.
Persistence & Privilege
always:false and normal autonomous invocation are used. The skill creates (and will write) a local config directory (~/.clawscan) and license/usage JSON files, which is reasonable for quota/license bookkeeping. There is no code that modifies other skills or global agent settings. No 'always: true' or elevated system-wide privileges are requested.
What to consider before installing
This package appears to implement a local scanner and does not attempt network exfiltration in the included code, but there are notable red flags you should address before installing: - Dependencies: The code imports click, rich, RestrictedPython, and other libraries, but the registry only lists python3 and pip and provides no install script. Expect to manually install required Python packages or packaging to fail. Prefer installing in an isolated virtualenv and inspect the packages you install. - RestrictedPython & dynamic analysis limits: Dynamic tracing runs code in a mock sandbox and purposely refuses to execute code containing constructs like eval/exec or __import__. Malicious code that obfuscates behavior or uses native extensions may evade detection—do not assume a clean scan guarantees safety. - Metadata inconsistencies: SKILL.md/README include placeholder or mismatched links (e.g., github.com/yourname, clawscan.dev). That could be a sign the project is incomplete or not from a well-maintained upstream. Verify the project homepage and repository history before trusting or paying for 'Premium' features. - Local writes: The tool will create ~/.clawscan and write license/usage files and can export JSON reports. If you need strict privacy, run scans in an isolated environment and review exported files. What would raise confidence: an explicit install spec (or pyproject/pip wheel) that lists and installs required Python packages from known sources; consistent, verifiable upstream repository and release artifacts (GitHub releases or PyPI); and clearer handling of RestrictedPython availability and tomllib fallback for Python <3.11.
core/dynamic_tracer.py:122
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ffm0yqy8zz7tz8wag82r9hn8377qz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
OSLinux · macOS · Windows
Binspython3, pip

Comments