Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Debugging Assistant
v1.1.0Debugging assistant. Analyzes error logs, suggests breakpoints, traces execution flow, and helps identify root causes of issues.
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the included runtime (scripts/main.py) and the SKILL.md examples (analyze-error, suggest-breakpoints, trace). However SKILL.md references additional modules (error_analyzer.py, tracer.py) that are listed in the docs but not present in the file manifest, which is an inconsistency that could indicate an incomplete package or omitted behavior.
Instruction Scope
SKILL.md instructs the agent (or user) to run the included Python script against error text or files. That is within the stated purpose. But the runtime can read arbitrary files you point it to (e.g., --file src/main.py) and the main script attempts to import code from a sibling 'c-support' directory outside the package — meaning it may load code from outside the bundle if present. Because the provided main.py is truncated in the listing, I cannot fully confirm whether it makes network calls, executes external commands, or exfiltrates data, so exercising caution is warranted.
Install Mechanism
No install spec; the skill is instruction-only with a Python script included. Nothing is downloaded or written to disk by an installer, which is lower risk.
Credentials
The skill requests no environment variables or credentials — this is proportionate. That said the script can read files specified by the user and tries to import a 'c-support' library from outside the package, which could cause it to execute code from adjacent filesystem locations. No declared env vars hides nothing in this case, but verify it doesn't read unexpected sensitive config files at runtime.
Persistence & Privilege
always:false (default) and no install hooks are present. The skill does not request permanent presence or elevated privilege in the registry metadata.
What to consider before installing
This skill looks like what it says (a debugging helper) but there are red flags you should check before running it on important data or a production host:
- Inconsistency: SKILL.md mentions helper modules (error_analyzer.py, tracer.py) that are not included in the package. Ask the author or check a full source tree before trusting behavior.
- Inspect scripts/main.py fully: search for network/socket/HTTP libraries (requests, urllib, socket), subprocess/os.system calls, or code that reads unexpected paths (~/, /etc/, ~/.ssh, cloud SDK configs). If you see such calls, treat them as high risk.
- The script attempts to import a 'c-support' library from a sibling directory outside the package; ensure there is no malicious code in that path on your system, or run the skill in a sandbox/container without that directory present.
- Run the script in an isolated environment (container, VM) first and avoid passing it sensitive files. If you must run on real code, audit the source or run static grep for risky APIs (requests, socket, subprocess, open with absolute paths) before use.
If you want, provide the full contents of scripts/main.py (untruncated) and I can do a deeper, line-by-line check for network I/O, subprocess execution, or data-exfiltration behaviors.Like a lobster shell, security has layers — review code before you run it.
latestvk97bzwbg41qatapxax97tcvny58436hw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.