Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's code implements local bill storage, cron-based checks, and sending WeChat messages via the local 'openclaw' CLI — which matches the stated purpose. However the registry metadata did not declare required binaries (Node.js and the 'openclaw' CLI) even though install.sh and the scripts require them; the SKILL.md documents WEIXIN_* env vars but the package metadata lists no required environment variables. These mismatches are inconsistent and should be corrected.
Instruction Scope
SKILL.md and the scripts stay within the feature scope (adding/listing/removing bills and sending reminders). However the scripts construct shell commands with unescaped, user-controllable content (bill names, notes, message text, userId) passed to execSync('openclaw message send ... --message "..."'). This creates a command-injection risk if names/notes contain quotes or shell metacharacters. The install script also automatically appends a cron job to the user's crontab (persistent system change) — expected for cron-based reminders but worth explicit user consent.
Install Mechanism
There is no network download; install.sh is included and does local setup (permission bits, create log dir, init data file, add crontab). No external arbitrary URL downloads or archives were used. This is lower-risk than fetching remote code, but it does make persistent changes (crontab) and requires utilities that the metadata doesn't declare.
Credentials
The SKILL.md documents three environment variables (WEIXIN_CHANNEL, WEIXIN_ACCOUNT, WEIXIN_USER_ID) with sensible defaults and the code uses them. The registry metadata, however, lists no required env vars or primary credential. Also the scripts rely on the 'openclaw' CLI being installed and authenticated — but that CLI's credentials are not declared by the skill. This gap reduces transparency and could confuse users about what secrets/credentials are needed.
Persistence & Privilege
The skill adds a cron job to the user's crontab to run daily checks and writes logs/data under ~/.openclaw — these are persistent changes within the user's account (not system-wide). 'always' is false (not force-included). Adding a crontab entry is expected for this functionality but is a privileged persistent action that should be presented clearly to users before install.
What to consider before installing
What to consider before installing:
- Functional fit: The files implement a local bill tracker that sends WeChat messages via a local 'openclaw' CLI and schedules a daily cron job. That matches the skill description.
- Metadata gaps: The package metadata does NOT declare required binaries (Node.js and the 'openclaw' CLI) or the WEIXIN_* env vars the code reads. Expect to have Node.js and the OpenClaw CLI available and authenticated before using this skill.
- Persistence: install.sh will add a line to your user crontab and create logs under ~/.openclaw. If you don’t want that, inspect and run the install steps manually or edit the install script before running.
- Security risk — shell injection: The scripts build shell commands by embedding message text and user-provided fields directly into a string passed to execSync. If a bill name or note contains quotes or malicious content, it could break out and run arbitrary shell commands. To reduce risk:
- Only install from a trusted source.
- Inspect or patch sendWeixinMessage to avoid shell interpolation (use child_process.spawn with args array or properly escape/quote inputs).
- Validate/sanitize user inputs (names, notes) before adding them to data or sending messages.
- Data locality: Data is stored in a local JSON file (data/bills.json). Back it up if needed and set file permissions if you want to restrict access.
- Testing: The included tests expect 'jq' to be installed; run tests in a safe environment. Consider running the skill in a container or isolated account if you want to limit the blast radius.
If you are comfortable with the above (or can patch the code to avoid execSync string interpolation and fix metadata), the skill is usable. If not, decline or request the author to (1) declare required binaries/envs, (2) remove or document the cron modification explicitly, and (3) fix the command-construction to avoid shell injection.scripts/add-bill.js:62
Shell command execution detected (child_process).
scripts/check-bills.js:38
Shell command execution detected (child_process).
scripts/mark-paid.js:51
Shell command execution detected (child_process).
scripts/remove-bill.js:50
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk974xp10dzy5q4z3c95xe5jkgs83msxc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.