Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name and description match the actions described (detect and fix nested workspaces). However, the runtime instructions depend on PowerShell scripts at E:\.openclaw\workspace\scripts which are not bundled or declared; an instruction-only skill that expects absent, absolute-path scripts is an inconsistency.
Instruction Scope
SKILL.md instructs scanning, deleting nested directories, and modifying configuration files via external scripts (detect-nested-workspace.ps1, validate-workspace.ps1, fix-nested-workspace.ps1). The skill does not include those scripts or show their contents, so following instructions could execute arbitrary, potentially destructive code on the user's filesystem. Although it recommends DryRun and backups, the agent could be asked to run the real fix without a way to verify what will run.
Install Mechanism
There is no install spec (lowest install risk). But the absence of bundled scripts or any declared source for the referenced scripts is inconsistent with the instructions and raises a risk: the skill assumes preinstalled artifacts at a specific absolute path (E:), which may not exist or may contain malicious/incorrect scripts.
Credentials
The skill declares no required environment variables or credentials, which is reasonable, but its operations require filesystem access and likely elevated permissions to delete directories and update config files. Those privilege requirements are not surfaced, and the skill gives no guidance for verifying script integrity or scoping permissions.
Persistence & Privilege
The skill does not request persistent inclusion (always:false) and does not declare modifications to other skills or system-wide settings. Agent autonomous invocation is allowed by default (not flagged here) but combine this with the other concerns (external destructive scripts) when deciding to enable.
What to consider before installing
This skill tells you to run PowerShell scripts at E:\.openclaw\workspace\scripts to delete or modify workspace directories, but the scripts are not included — don't run fixes blindly. Before installing/using: (1) ask the author to provide the actual scripts or include them in the skill package, (2) inspect the script contents to verify they only do the described safe actions, (3) back up your config and data, (4) run the provided DryRun first, and (5) if possible run the scripts in an isolated/test environment or with least-privilege account. If you cannot inspect the scripts or confirm their origin, treat this skill as unsafe to run.Like a lobster shell, security has layers — review code before you run it.
directoryvk97bq7e2qz9nd4bkve61tn0f7982q2hjhealthvk97bq7e2qz9nd4bkve61tn0f7982q2hjlatestvk97bq7e2qz9nd4bkve61tn0f7982q2hjnestedvk97bq7e2qz9nd4bkve61tn0f7982q2hjopenclawvk97bq7e2qz9nd4bkve61tn0f7982q2hjworkspacevk97bq7e2qz9nd4bkve61tn0f7982q2hj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.