ClawHub

Codeflicker

Security checks across malware telemetry and agentic risk

Overview

This skill wraps a legitimate-looking coding CLI, but it encourages automatic execution and broad extension/workspace powers that users should review carefully before installing.

Install only if you are an intended CodeFlicker/Kuaishou user and trust the internal npm package and SSO flow. Keep approvalMode at default unless working in a disposable sandbox, review generated shell commands, avoid untrusted skill or MCP sources, and verify workspace status before merge or delete operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill documents the ability to install arbitrary skills and MCP servers from external sources, which expands the trust boundary far beyond a normal coding assistant. This creates a supply-chain and prompt-injection risk because newly added components may execute code, access data, or alter agent behavior without meaningful review.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The documented `flickcli run` feature converts natural language into shell commands and supports execution, which materially increases the chance of unintended or unsafe command execution. For a programming assistant, this is dangerous because ambiguous prompts, prompt injection, or model mistakes can lead to destructive filesystem, network, or credential-impacting actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises a destructive command, `flickcli workspace delete <name>`, immediately after merge-related workflow steps without any warning, confirmation guidance, or recovery caveat. In an agent-skill context, documentation is often operationalized by automation or copied verbatim by users, so normalizing deletion commands without safeguards increases the chance of accidental data loss or workspace removal.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The configuration section recommends `approvalMode yolo` and only adds a minimal 'use with caution' note, which is insufficient for a mode that auto-executes operations. Presenting this as a normal configuration option without prominent risk disclosure can normalize unsafe autonomous behavior and lead to unintended file or system changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The auto-use instructions tell OpenClaw to invoke `flickcli` automatically for development tasks, but they do not warn that the tool may execute commands, edit files, or take further autonomous actions inside `~/work`. This is especially risky because it encourages routine delegation to another agentic CLI without user awareness or consent at the time of use.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal