Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
pc-assistant
v1.2.5PC healthcheck and diagnostics with detailed system information and actionable recommendations. Works on Windows, macOS, and Linux. Read-only system diagnost...
⭐ 2· 551·1 current·1 all-time
byNing@ningtoba
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (PC healthcheck) match the included scripts and declared install.yaml. The scripts collect OS, storage, network, processes, services, package lists, SSH authorized_keys, and auth logs — all relevant to diagnostics. The skill documents that reports contain sensitive information, which aligns with what the scripts gather.
Instruction Scope
SKILL.md instructs the agent to run the included scripts and (optionally) schedule them via cron. The scripts only read local system files and produce local report files; they do not contain network exfiltration calls or hard-coded remote endpoints. Note: the scripts read sensitive files (e.g., /var/log/auth.log, ~/.ssh/authorized_keys, WSL-mounted Windows user dirs), which is expected for a diagnostics tool but expands the privacy surface.
Install Mechanism
No registry install spec was provided (skill is instruction-only), but the package contains an install.yaml describing an install path under ~/.npm-global/... and command locations. There are no downloads or external installers in the manifest. The only mild mismatch: SKILL.md and scripts assume the files will be installed under a specific npm-global path — if you don't install to that path you must invoke scripts by absolute path.
Credentials
The skill declares no required credentials or special environment variables beyond optional PC_ASSISTANT_* configuration. At runtime the scripts read common env vars (HOME, SHELL) and optionally source ~/.config/pc-assistant.conf. The environment access is proportional to a local diagnostics tool, but the reader should note that sourced config and report files could contain sensitive info if misconfigured.
Persistence & Privilege
always:false and normal autonomous-invocation settings. The skill does not request persistent platform-wide privileges, does not modify other skills, and only writes reports to configurable output directories. Scheduling is opt-in (cron) and not auto-installed by the skill.
Assessment
This appears to be a coherent local healthcheck skill, but it gathers sensitive system information (auth logs, SSH authorized_keys content snippets, package lists, mounted Windows user directories under WSL, etc.). Before installing or running: 1) Review the scripts yourself (they're included) and confirm you are comfortable with the files they read and where they write reports. 2) Run as a regular (non-root) user — the scripts are intended to be read-only but running as root increases exposure. 3) Choose a private output directory (do not leave reports in world-readable locations) and enable cleanup if desired. 4) If you schedule it, add cron entries yourself rather than granting automatic scheduling. 5) If you require the skill to be invoked from a different path than ~/.npm-global/..., adjust the call paths or run scripts directly. If you want additional assurance, test in a VM or non-production machine first.Like a lobster shell, security has layers — review code before you run it.
latestvk978g9mm80cpnncsv0zv9pdne58359v8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.