ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Exec Tool

v1.0.0

Securely executes predefined clawhub CLI commands within controlled OpenClaw workflows, preventing unsafe or arbitrary system operations.

0· 43·0 current·0 all-time
byMayuran Ys@mayuran1096
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description and code agree on purpose (execute clawhub CLI commands), so capability is plausible; however the security claims in SKILL.md (prevents destructive ops) are not enforced by the implementation, making the stated purpose and actual behavior inconsistent.
!
Instruction Scope
SKILL.md restricts execution to whitelisted commands and promises prevention of destructive operations. The runtime code accepts any string starting with 'clawhub' and calls subprocess.getoutput (shell), which allows shell operators and injection (e.g., 'clawhub; rm -rf /'), so instructions' safety constraints are effectively bypassed.
Install Mechanism
No install spec (instruction-only with a small Python file). Nothing is downloaded or installed during setup, so there is low install-time risk.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate for a CLI execution helper.
Persistence & Privilege
The skill is not always-enabled and requests no elevated platform privileges. Autonomous invocation is allowed (platform default), which increases blast radius but is not itself unusual here.
Scan Findings in Context
[subprocess-getoutput-shell-exec] unexpected: tool.py uses subprocess.getoutput(command) which executes via the shell; combined with a permissive startswith('clawhub') check, this enables command chaining/INJECTION (e.g., 'clawhub; dangerous_cmd'). This is not expected for a skill that claims to prevent destructive operations.
What to consider before installing
Do not install this on sensitive systems as-is. The skill's README promises safe execution but the code runs the provided string through the shell after only a prefix check, so an attacker or an accidental input like 'clawhub; rm -rf /' would execute additional commands. If you need this functionality, require one of the following before trusting it: (1) change implementation to use subprocess.run([...], shell=False) and parse/validate arguments, (2) restrict to an exact allowlist of full command patterns (not prefix checks), (3) perform strict argument validation/escaping, and (4) run it only in isolated, disposable environments. If the author can provide a patched version using safe subprocess invocation and a stronger whitelist (and show tests proving injection isn't possible), reassess. Otherwise treat this as unsafe for production or publicly accessible agents.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760e2j2s7tgyaj6m22e4h3ts84qc3d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments