Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Dashboard
v2.0.4像管手机 APP 一样管你的 AI 技能——分页显示、一键巡查、轻松管理
⭐ 0· 488·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (manage installed skills via a dashboard) matches the code: it lists installed skills and calls clawhub to inspect/update/uninstall. However SKILL.md metadata lists a required binary 'jq' while the registry metadata says no binaries required and none of the JS code calls jq. Also the package is described as 'instruction-only' while the registry contains multiple code files—these inconsistencies suggest sloppy packaging or outdated metadata.
Instruction Scope
The runtime code uses child_process.exec to run clawhub list/inspect/update/uninstall and to open the browser. Some exec calls use values derived from user input or loosely-parsed strings (e.g., update/uninstall paths), and there is no obvious sanitization of those inputs before interpolation into shell commands — a potential command-injection vector. The dev-dashboard reads another package's state file via a relative path (path.join(__dirname, '..', 'skill-dashboard', 'skill-state.json')), which may access unexpected files depending on install layout. The SKILL.md promises local-only caching and two-step confirmations, which the code mostly implements, but the exec usage and path assumptions broaden the skill's effective scope.
Install Mechanism
There is no install spec (lowest install risk), but code files are included so runtime will execute locally. The lack of an install script is not dangerous per se, but combined with executable child_process calls it means the skill relies on the environment (clawhub CLI present) and will execute shell commands at runtime.
Credentials
The skill does not request environment variables, secrets, or external credentials. Its filesystem access is limited to local cache/state files within the skill directory (skill-state.json, dev-cache.json). That is proportionate to the stated purpose. However, the skill will run clawhub CLI commands which can alter installed skills (update/uninstall) and so needs the clawhub CLI and appropriate OS permissions.
Persistence & Privilege
always is false and the skill does not request persistent platform privileges. It writes its own cache/state files but does not attempt to modify other skills' configuration files directly (aside from invoking clawhub CLI which can change installed skills). The combination of autonomous exec of clawhub commands and lack of input sanitization increases blast radius, but persistence flags are normal.
What to consider before installing
This skill is plausibly what it says (a local dashboard) but there are red flags you should consider before installing:
- Metadata mismatch: SKILL.md says it requires 'jq' but the package metadata and code do not—ask the maintainer to clarify and provide an updated package manifest.
- Command execution risk: the code uses shell exec (clawhub inspect/update/uninstall, open) with parameters that can come from parsed text or user input. If an attacker can cause a crafted skill name to be processed, it could lead to shell injection. Ask the developer to sanitize inputs or use execFile/spawn with argument arrays.
- File/path assumptions: dev-dashboard reads a sibling skill-state file via a relative path; confirm install layout so it doesn't accidentally read unrelated files.
- Operational impact: the skill will call clawhub update/uninstall, which can modify or remove other skills. Confirm you trust the skill and the clawhub CLI on your system.
Recommended actions before installing:
1. Review the source (the included JS files) yourself or ask the author to explain the jq metadata and the relative path usage.
2. Verify clawhub CLI is legitimate and required; consider running the code in a sandbox or review/modify it to use safer child_process APIs (pass arguments as arrays, validate slugs against a strict pattern).
3. If you plan to use it, ensure backups for your skills, and only allow confirmed update/uninstall actions.
If the maintainer can address input sanitization and fix the manifest inconsistencies, this would lower my concern.Like a lobster shell, security has layers — review code before you run it.
latestvk979nzmkhyk56n4b8zp9vjs43h81xgt8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.