ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gstack Openclaw

v2.5.10

世界顶级思维合集 —— 融合Google Staff Engineer、Martin Fowler/Kent Beck/Jeff Dean工程思维、Paul Graham/Sam Altman创业思维、Elon Musk创新思维、Stripe/Airbnb设计思维。v2.5.10:移除install.sh以完全消...

1· 959·4 current·4 all-time
by@leo-jiqimao
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchasesRequires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description (a role-driven engineering productivity kit) matches the provided content: many role-oriented SKILL.md files, templates and examples. It does not declare any required binaries, env vars, or credentials. The included examples show integrations with GitHub, CI, WebPageTest, PSI, Datadog, Prometheus, Playwright, etc., which are reasonable for a documentation skill that teaches integrations — but those examples reference API keys and network calls even though the top-level SKILL.md/SECURITY.md claim 'no external API calls'. This is plausible (examples for users), but the presence of those examples should be expected and is worth noting.
!
Instruction Scope
The main SKILL.md and SECURITY.md repeatedly claim the skill is documentation-only and does not perform network calls or run scripts. However: (1) multiple places (SKILL.md and README) still show manual install commands using git clone and './install.sh' despite changelog/SECURITY.md stating install.sh was removed in v2.5.10 — that inconsistency could mislead users into running a script that may not exist or may be different in other versions; (2) subskill docs include runnable code snippets that read local state (e.g., Playwright examples that read localStorage) and show examples that POST telemetry (fetch('/analytics')) or curl WebPageTest/PSI APIs (with API keys). Those are examples, not active code in the skill, but they provide actionable commands that — if executed by the user or an agent with tooling permissions — could access local tokens or external services. The SKILL.md also instructs creating GSTACK.md in the project root (a file write), which contradicts wording that it 'does not read/write user files' unless done via standard OpenClaw tools. Overall the instructions are mostly documentation, but the mixed messaging and executable examples are a scope concern.
Install Mechanism
There is no declared install specification and no code files to execute; the registry metadata indicates an instruction-only skill. The README and SKILL.md mention 'clawhub install' (expected) but also include 'git clone' plus './install.sh' commands — even though v2.5.10 claims install.sh was removed. Because there's no packaged install spec and no archive downloads, installation risk is low, but the leftover references to an install.sh are an inconsistency worth verifying before running any manual commands you find in the docs.
Credentials
The skill declares no required env vars or secrets (primaryEnv none). However many documentation examples show using service API keys (WebPageTest k=YOUR_API_KEY, PSI YOUR_API_KEY, Datadog/NewRelic examples, Kubernetes secretKeyRef). These are typical templates and do not mean the skill will request or exfiltrate credentials, but they do mean that using the documented integrations will require you to supply credentials elsewhere. The skill itself does not ask for credentials, which is proportionate, but the docs include code that could read local tokens (browser localStorage access) — users should not grant the agent tooling access to sensitive environments or secrets unless intended.
Persistence & Privilege
The skill is not always-enabled (always:false) and does not request elevated persistence or modify other skills. Autonomous invocation is allowed (disable-model-invocation:false), which is normal. There is no evidence this skill attempts to change other skills or system-wide settings.
What to consider before installing
Summary of what to check before installing or using this skill: - The package appears to be documentation-only and coherent with its stated purpose (role-based engineering guidance). That said, the repository/documentation contains contradictory lines: several places still show a manual install using './install.sh' while the changelog and SECURITY.md say install.sh was removed. Do NOT run arbitrary install scripts without inspecting them first. - Many examples in the subskills show runnable code that accesses network APIs, posts telemetry, or reads local browser state (e.g., Playwright page.evaluate retrieving localStorage). These are templates/examples — the skill itself doesn't declare credentials — but if you execute those examples (or grant the agent browser/control tooling), they could read local tokens or send data off-host. Only run such scripts in safe environments and avoid running browser automation against sites holding secrets or tokens. - Prefer the documented clawhub install path. If you must use manual install, inspect the repository on GitHub (https://github.com/openclaw/gstack-openclaw) and verify there is no install.sh or other executable you don't trust. Clone the repo and manually inspect files before executing anything. - Don't paste API keys, tokens, or other secrets into chat prompts. If you want the skill to reason about integrations, provision credentials separately to the appropriate official skills or tooling and grant the minimal scope required. - If you plan to use the 'browse' or automation examples, run them in a sandboxed/test environment and review any generated scripts for calls that send data externally (fetch/curl) or read local storage. - If you want higher assurance, ask the author/maintainers for confirmation (or open an issue) that the published package truly contains no install scripts or executables; verify the published tag/release on the GitHub repo matches the registry package. Why 'suspicious' and not 'malicious': There is no clear evidence of deliberate misdirection or hidden executables — the main issue is inconsistent documentation that could mislead less-technical users into running commands. Those inconsistencies and the presence of many actionable network examples justify caution.

Like a lobster shell, security has layers — review code before you run it.

developmentvk979kgwv9qx3by0y7cvs3a897x83nvz6latestvk97dc41jr8hb57gd56kb9wzagh84hfdcproductivityvk979kgwv9qx3by0y7cvs3a897x83nvz6workflowvk979kgwv9qx3by0y7cvs3a897x83nvz6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments