ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Spacesuit

v0.3.0

A comprehensive OpenClaw workspace framework providing session protocols, memory system, git workflow, safety rules, priority triage, communication handoffs,...

2· 1.8k·1 current·1 all-time
byJonathan Tsai@jontsai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and files match a workspace scaffold: templates, base content, installer, upgrade/diff, and a session-sync script. However several policy files (AGENTS.md, TOOLS.md) explicitly instruct searching the workspace root, cloud storage, home config (~/.config), dotfiles, and .envrc for credentials — behavior that is broader than a minimal scaffold and worth scrutiny.
!
Instruction Scope
Runtime documentation and base AGENTS.md instruct agents to automatically load SECURITY.md, SOUL.md, USER.md and read daily memory files, search home config and cloud storage, and 'Don't ask permission. Just do it.' This grants the agent broad discretion to read local files (including potential secrets) and discover data outside the workspace; scripts also read ~/.openclaw session transcripts. The explicit instruction to proactively search home dotfiles and cloud locations is scope-creep for a scaffold.
Install Mechanism
No remote installers or downloads; the package is instruction-only from ClawHub and contains local bash scripts (install/upgrade/diff/sync) that copy templates into the workspace and create local directories. No external network fetches or obscure URLs in the install path were found.
!
Credentials
The package declares no required environment variables, but the documentation and templates instruct searching .envrc, .env, ~/.config, gateway config and environment variables for credentials. Asking agents to scan these credential locations is disproportionate unless the user explicitly consents and configures it; the skill does not declare or justify needing blanket access to secrets.
Persistence & Privilege
always:false and user-invocable true. The install/upgrade scripts write files into the workspace (templates, scripts, .spacesuit-version, heartbeat state) which is expected for a scaffold. The skill does not request system-wide privileges or modify other skills.
Scan Findings in Context
[ignore-previous-instructions] expected: This string appears in base/SECURITY.md as an example of a disallowed injection pattern; it's defensive (the package tells agents to refuse such prompts). Presence is expected.
[system-prompt-override] expected: Also present in SECURITY.md as a disallowed pattern / prompt-injection example; included to teach agents to refuse overrides. Expected for a security-focused scaffold.
[unicode-control-chars] expected: Scanner flagged unicode-control-chars pattern — likely because docs mention encoded/obfuscated payloads or examples. The repo's SECURITY.md disallows encoded payloads; presence is explanatory/defensive rather than malicious.
What to consider before installing
What to consider before installing: - Review and run in a safe test workspace first: clone the repo into a throwaway workspace and run ./scripts/diff.sh and ./scripts/upgrade.sh --dry-run before applying anything to a production workspace. - Inspect templates and scripts yourself (install.sh, upgrade.sh, sync-operators.sh). The package will copy files and scripts into your workspace root and create directories (memory/, handoff/, decisions/, scripts/, state/). - Pay special attention to instructions that tell agents to search ~/.config, dotfiles, .envrc, and cloud session folders. Those are common places for secrets. If you do not want automatic scanning of those locations, avoid running sync scripts or modify them to limit paths (or set OPENCLAW_SESSIONS_DIR explicitly and run with --dry-run). - Note contradictory guidance: AGENTS.md contains both a strict SECURITY.md and a line 'Don't ask permission. Just do it.' Decide which behavior you want agents to follow; consider editing AGENTS.md/SOUL.md to enforce explicit consent before any external or cross-home actions. - The pre-scan "injection" patterns are present in SECURITY.md as defensive examples; they are not an active attack but demonstrate the project trains agents to refuse such prompts. - Practical steps: run sync-operators.sh with --dry-run; set restrictive file permissions on workspace; ensure you control OPENCLAW_PROFILE/OPENCLAW_SESSIONS_DIR before running; search the templates for any accidental secret values before upgrade/install. Confidence: medium — the package is internally consistent as a scaffold, but several explicit instructions expand its read-scope to home/cloud credential locations and include strong autonomy language that may be surprising; that makes the risk profile ambiguous and worth manual review before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk975vxqjyb27exby593zg94hes80ge92

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments