ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawJection

v1.0.0

Install and apply ClawJection bundles when a user asks to install a ClawJection, run a ClawJection, or configure an OpenClaw instance from a ClawJection repo...

0· 75·0 current·0 all-time
byGregory Potemkin@nmadeleidev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and the SKILL.md are aligned: this skill is a policy/instruction set for installing and applying ClawJection bundles. The actions described (locating clawjection.yaml, running an entrypoint, modifying OpenClaw workspace, installing tools/skills) are expected for this purpose. However, the capability implies executing arbitrary bundle code and modifying local runtime state — a significant escalation that should be explicit and constrained by trust or sandboxing controls.
!
Instruction Scope
The instructions direct the agent to clone or download arbitrary repos/archives, run the bundle's entrypoint from the bundle root (which may execute arbitrary commands), read local config (~/.openclaw/openclaw.json) by default, read a structured result from CLAWJECTION_RESULT_PATH, and then execute returned ordered 'followups'. There is no required explicit step enforcing user confirmation, sandboxing, or limiting followup actions. The agent is told to treat stdout as hints and to execute followups — this grants broad discretion and potential for unintended changes or exfiltration.
Install Mechanism
No install spec or code files are present (instruction-only), which lowers the formal install risk surface. The primary risk arises from the runtime behavior described in SKILL.md (downloading/running bundle entrypoints), not from any packaged install process.
!
Credentials
requires.env and primary credential are empty, but the instructions implicitly require access to local OpenClaw configuration (~/.openclaw/openclaw.json) and rely on CLAWJECTION_RESULT_PATH for results (this environment variable is referenced but not declared). The skill may need network access, filesystem write permission, and the ability to invoke installers — none of which are scoped or restricted. That mismatch between declared requirements and the actual environment/file access is concerning.
!
Persistence & Privilege
always:false (normal), but the skill explicitly instructs running bundle entrypoints that can install CLIs/skills or modify core OpenClaw files (e.g., IDENTITY.md). Although the skill does not itself request permanent presence, it provides a mechanism to install persistent components into the agent environment and to run arbitrary followups, which is a significant privilege. No safeguards require user approval for persistent changes.
Scan Findings in Context
[no_static_findings] expected: The repository is instruction-only and contains no code files; the regex-based scanner had nothing to analyze. The lack of findings is expected but does not reduce runtime risk because the SKILL.md instructs execution of external bundle code.
What to consider before installing
This skill lets the agent download and execute arbitrary 'ClawJection' bundles that can modify your local OpenClaw runtime and install software. Before installing or using this skill, consider: 1) Only use bundles from sources you fully trust; 2) Require explicit, manual confirmation before running any bundle entrypoint or before applying any followups; 3) Inspect clawjection.yaml and the entrypoint code yourself (or in a sandbox) before execution; 4) Run bundle application inside an isolated VM/container or ephemeral environment with restricted network/filesystem access; 5) Back up ~/.openclaw/openclaw.json, IDENTITY.md, and other critical OpenClaw files before applying a bundle; 6) Be cautious with bundles that request or create CLAWJECTION_RESULT_PATH or other env vars — the SKILL.md references CLAWJECTION_RESULT_PATH but does not declare it; 7) Prefer signed or provenance-verified bundles and add limits on followup actions (never execute followups automatically). If you need this capability but want safer behavior, ask the skill author to: declare required env vars and file accesses, require interactive confirmation for destructive or persistent changes, document a trust/provenance model, and recommend sandboxing steps.

Like a lobster shell, security has layers — review code before you run it.

latestvk97722thz7zmpgv2452ynpa3dn83m06r

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments