ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Launcher

v1.1.0

Create Windows desktop shortcut and scripts for one-click OpenClaw startup on WSL. Use when: (1) user asks to create/open/fix OpenClaw launcher, (2) user rep...

0· 65·0 current·0 all-time
by@kevinl1993
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (create Windows shortcut + scripts for one-click OpenClaw startup on WSL) matches the instructions: creating a scripts directory, writing .ps1/.bat launchers, configuring netsh portproxy, starting a systemd user service in WSL, keep-alive process, and optionally converting icons. All requested actions are coherent with the stated purpose.
Instruction Scope
Instructions stay within the launcher scope but include sensitive and high-impact steps: reading ~/.openclaw/openclaw.json inside WSL to extract a token, adding/removing netsh portproxy entries (requires admin), and using PowerShell -ExecutionPolicy Bypass to run hidden scripts. Also the provided SKILL.md appears truncated at the end (final shortcut-creation block is incomplete); you should not run commands until the full instructions are available and you inspect generated files.
Install Mechanism
No install spec or code files are present (instruction-only). Nothing is downloaded or written by an installer — risk from install mechanism is minimal.
Credentials
The skill declares no environment variables or credentials, which is appropriate. However, it explicitly reads a local OpenClaw config file in WSL to extract a token (sensitive secret material) and constructs a dashboard URL including that token. That behavior is proportionate to building an auto-login launcher but is sensitive and should be explicitly reviewed by the user.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. The only elevated action implied is running netsh portproxy (requires administrator rights), which is typical for binding Windows localhost to WSL IP but should be granted consciously.
Assessment
Before installing or running these instructions: 1) Inspect every generated .ps1/.bat/.bat keep-alive file — don't run them blindly. 2) Be aware the script reads your WSL OpenClaw config (~/.openclaw/openclaw.json) to extract a token; that token is sensitive and is used locally to open a dashboard URL. 3) netsh interface portproxy changes networking and requires admin privileges; allow it only if you trust the source and understand the change. 4) PowerShell uses -ExecutionPolicy Bypass and hidden execution — this suppresses prompts and reduces protections; prefer to review and run interactively first. 5) SKILL.md appears truncated; get the full instructions before proceeding. 6) If unsure, manually create the shortcut and run the steps one-by-one (or test in a disposable/VM environment). 7) Ensure Python + Pillow are installed if you need icon conversion, and back up any existing files the scripts may overwrite.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bk6zqkmmsech0zah1sbp6qh83yp8p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments