Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (rewrite an incomplete user query using conversation history) aligns with the included code: index.js invokes rewrite_question.py which implements LLM-driven rewrite logic and QA matching. It reasonably accepts optional Gemini API parameters. Minor inconsistency: SKILL.md frames the skill as instruction-only but the package actually contains runnable code that will be executed.
Instruction Scope
The SKILL.md and code instruct the agent to run a local Python script that performs LLM calls and QA SQL time-updates. index.js also reads a parent .env file (../.env) if present and will pass the full process environment into the child process, which means the Python code can access any environment variables available to the agent. That behavior (silent loading/exposure of environment secrets) expands scope beyond the simple rewrite task and is not declared in the skill metadata.
Install Mechanism
There is no install spec or remote download; the skill is delivered as local code files and executed via spawning the system Python. No archive downloads or package installs were found in the manifest.
Credentials
The skill declares no required env vars, yet index.js will use GEMINI_API_URL / GEMINI_API_KEY / GEMINI_TOKEN if present and will also load ../.env and forward the entire process.env to the Python process. This implicit, wide environment access (including unrelated secrets) is disproportionate to a straightforward rewrite task and not surfaced in metadata.
Persistence & Privilege
The skill is not marked 'always:true' and does not request persistent system-level privileges. It communicates via stdio when invoked by the agent; no evidence it modifies other skills' configs or requests permanent presence.
What to consider before installing
This skill appears to implement the advertised rewrite functionality, but it will: (1) read a parent ../.env file if present, and (2) pass the whole process environment into the spawned Python process, giving the Python code access to any environment variables or secrets available to the agent. The Python code also imports httpx and will make network calls (expected for LLM/API usage). Before installing, consider: - Inspect rewrite_question.py fully to see what external endpoints it calls and whether it transmits user data. - Do not run it in an environment that contains unrelated secrets (AWS keys, DB credentials, tokens). Prefer creating a minimal environment exposing only the explicit GEMINI_* variables required. - Remove or sanitize any ../.env file you don't want read, or patch index.js to avoid auto-loading parent .env. - If you must keep secrets in the agent environment, avoid installing this skill or run it in an isolated container. - If you want higher assurance, ask the author to explicitly declare required env vars and to stop inheriting the entire process.env/.env files.index.js:101
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979ttq89kafbsye3zfgyx6hdd833qtm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🐬 Clawdis