ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Rr Renamer

v1.0.0

Use RenameRegex (RR.exe) as a generic Windows CLI bulk renamer from OpenClaw. Use when you need regex search/replace renames with preview (/p pretend), recur...

0· 90·1 current·1 all-time
byAltair@nextaltair
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The name and description indicate a thin wrapper around RR.exe (a Windows CLI tool). The SKILL.md expects RR.exe to be on PATH (reasonable) and recommends PowerShell 7 (reasonable) — but it also claims a 'bundled script' (scripts/rr_run.ps1) that would perform argument quoting, preview/apply logic and logging. No code files are present and no install spec is provided, so the promised 'bundled script' does not actually exist in the package. Additionally the doc references '~/.local/bin' (a Unix-style path) while otherwise targeting Windows PowerShell, which is inconsistent.
!
Instruction Scope
The runtime instructions are narrow (always preview, explicit user approval before apply, avoid /f, log invocations) which is good, but they instruct the agent to 'use the bundled script' and refer to scripts/rr_run.ps1 that is not included. The doc also makes environment assumptions (RR.exe on PATH, prefer pwsh.exe) and gives quoting advice for PowerShell; because the wrapper script is missing, the agent or user would need to compose commands themselves, increasing risk of errors. Logging behavior is mandated but not specified (where/how logs are stored).
Install Mechanism
No install spec and no code files — lowest-risk distribution model. However, that also means the skill is only documentation: it presupposes an external binary (RR.exe) and an included script that are not present.
Credentials
The skill requests no environment variables or credentials (proportionate). The only oddity is the mention of a user-stated RR.exe location at '~/.local/bin' which is a Unix-style path while the rest of the instructions target Windows PowerShell; this platform mismatch should be clarified. No secrets or unrelated credentials are requested.
Persistence & Privilege
Autonomous invocation is disabled (disable-model-invocation: true) and always is false; the skill will not run itself and does not request persistent system privileges, which reduces risk.
What to consider before installing
Do not install or rely on this skill yet. The SKILL.md promises a bundled PowerShell wrapper (scripts/rr_run.ps1) but the package contains no code — that missing script is required for the stated preview/apply workflow and logging. Also clarify platform: the doc targets PowerShell/Windows but mentions ~/.local/bin (Unix path). Before using: (1) ask the publisher to supply the missing scripts or explicit example commands; (2) verify you have RR.exe from a trusted source on your PATH; (3) test preview runs in a safe copy of your files first; (4) insist the skill document where logs are written and avoid using /f (force) unless you fully understand consequences. These inconsistencies make the package suspicious even though it does not request credentials or installs code itself.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b8q144afwyf4d4dj5rkqgp183bjs5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments