ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OSNK Trainer

v1.0.8

Pelatih OSNK - Bank soal OSK/OSNK/SNK/Bebras (2006-2025) dengan latihan cerdas, speed run, performance tracking, dan mentoring lengkap.

0· 79·0 current·0 all-time
by@jrrqd
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (OSNK trainer) match the packaged content: many local .md question banks, a simple bash runtime, and JSON state files. There are no declared env vars, binaries, or unrelated credentials requested, which is proportional to an offline quiz trainer.
!
Instruction Scope
SKILL.md describes only local operations (reading .md files, writing JSON into memory/) which is consistent — but it also documents an optional GitHub fallback (raw.githubusercontent.com) used when local files are missing. The provided package includes a SECURITY.md that describes run.sh behavior, but the actual run.sh source was not included in the review text here (only its presence/size is listed). Because the runtime behavior (parsing commands, fetching fallbacks) is implemented by run.sh, not seeing its contents prevents verification that it truly never executes arbitrary code, never uses eval, and only performs safe GET requests.
Install Mechanism
There is no install spec (instruction-only skill plus an included run.sh). That is low-risk compared to remote installers. No archives or third-party package installs are declared. However, the included executable script (run.sh) would be executed at runtime — its contents should be reviewed before running.
Credentials
The skill declares no required env vars or credentials and stores data under $OPENCLAW_WORKSPACE/memory or ./memory — this is proportional. Note: SKILL.md/SECURITY.md reference $OPENCLAW_WORKSPACE and an optional outbound HTTPS fallback to raw.githubusercontent.com/jrrqd/osnk-question-bank; network access is reasonable for a fallback but it is an external endpoint and should be trusted/verified before allowing the skill to fetch from it.
Persistence & Privilege
always is false and the skill stores only JSON under the workspace memory directory. It does not request system-wide privileges. SECURITY.md mentions no sudo or system modifications. There is a minor oddity: SECURITY.md points to a local path under a developer's home and an npm-global path which suggests typical dev install locations, but not elevated privileges.
What to consider before installing
This package appears to be a legitimate offline OSNK/Bébras question trainer with local markdown banks and local JSON state — but before installing or enabling autonomous invocation you should: 1) Inspect run.sh yourself (open the file) to confirm it contains only safe parsing, file reads/writes, and at most harmless HTTPS GETs to the documented GitHub raw URL; look specifically for no eval/exec of downloaded content, no use of curl/wget|--output to execute archives, and no exfiltration logic. 2) If you cannot review the script, run the skill in an isolated sandbox or VM and monitor network traffic and filesystem writes. 3) If you allow the GitHub fallback, verify the exact repository URL (raw.githubusercontent.com/jrrqd/osnk-question-bank) and ensure you trust that upstream content; consider blocking network access if you want fully local-only operation. 4) Check that writing to $OPENCLAW_WORKSPACE/memory (or ./memory) fits your privacy requirements and that you are comfortable storing practice data locally. 5) Because source/homepage are unknown, prefer manual review and sandboxing; if you need higher assurance, ask the author for the run.sh source (or for a signed release) and verify it matches the packaged script.

Like a lobster shell, security has layers — review code before you run it.

educationvk971jpf2rwnvc4qrktf9p8bt5583y62dinformatikavk971jpf2rwnvc4qrktf9p8bt5583y62dlatestvk97esjmt6myd47fpyst5prk77x849vvrlatihan-soalvk971jpf2rwnvc4qrktf9p8bt5583y62dolimpiadevk971jpf2rwnvc4qrktf9p8bt5583y62d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments