ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

android build tool

v0.0.2

A tool for downloading and configuring Android SDKs for projects, supporting Windows and macOS. Invoke when user needs to manage mobile SDKs, configure proje...

0· 331·0 current·0 all-time
by@noah-smith-max
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description (Android SDK management) match the included Python wrapper which downloads and runs a helper 'pi' binary to perform tasks. Requesting a helper executable is plausible for this purpose, so the overall capability aligns with the stated purpose.
!
Instruction Scope
The runtime instructions (run pi_claw.py) cause the skill to download an external binary and execute it. While this is related to the stated task, the instructions grant the skill authority to fetch and run arbitrary remote code (the contents of the 'pi' binary are not included), which expands scope beyond what a pure instruction-only skill typically does.
!
Install Mechanism
The Python script downloads an executable from GitHub Releases and executes it. Although GitHub releases is a known host, there is no checksum/signature verification, no pinned release artifact, and the binary is executed immediately. Download+extract/execute of remote binaries without integrity checks is a high-risk install pattern.
Credentials
The skill declares no required environment variables, credentials, or config paths and the code does not read any secrets. The requested environment access is minimal and proportionate to the task as described.
Persistence & Privilege
The script writes the downloaded 'pi' binary into the same directory as pi_claw.py and executes it. This is a local write and not a platform-wide persistence request (always:false). Still, writing and running an executable on disk increases attack surface and should be considered before use.
What to consider before installing
This skill works by downloading and executing a helper binary (pi.exe/pi) from a GitHub Releases URL at runtime. That makes its behavior dependent on whatever code is in that remote binary — which is not included or verified. Before installing or running it: 1) Review the upstream release page and vendor identity (who controls noah-smith-max/pi_public) and confirm you trust that source. 2) Ask the skill author for checksums/signatures or for the helper's source code so you can verify what will run. 3) Avoid running it on production or sensitive systems; test in an isolated VM or disposable environment. 4) Prefer a version that includes integrity verification (SHA256/GPG) or a pure-Python implementation instead of executing an unsigned binary. 5) Note the script only supports Windows/macOS (it exits on Linux). If you accept the risk, consider improving the wrapper (use subprocess.run with argument lists to avoid shell-joining, validate TLS/release integrity, and pin a specific release).

Like a lobster shell, security has layers — review code before you run it.

latestvk9704s75r3tmzgmd723w9ryhf5829ams
331downloads
0stars
1versions
Updated 7h ago
v0.0.2
MIT-0
@noah-smith-max
latest
Download

Pi Project

A tool for downloading and configuring Android SDKs for projects, supporting Windows and macOS.

Features

Environment Detection

  • Project detection
  • Proxy detection (Use proxy for chinese network if proxy detected)

Dependency Detection

Detect version information for:

  • Flutter
  • Android ecosystem (Gradle, Build Tools, SDK, NDK, cmake)
  • JAVA

Check & Download

  • Check if dependencies are installed
  • Download missing dependencies

Environment Config

  • Configure environment variables for the project to be used by code editors
  • Configure necessary global environment variables
  • For SDKs with strict version sensitivity (e.g., Flutter), configure shortcut commands in the project root directory

Build

  • Build the project from source code

Usage

Using pi_claw.py (Recommended)

  • Run python pi_claw.py help to show help information
  • Run python pi_claw.py detect /path/to/your/project to detect project dependencies
  • Run python pi_claw.py /path/to/your/project to download SDK and configure project
  • Run python pi_claw.py build /path/to/your/project to build the project from source code

Using pi directly

  • Run pi help to show help information
  • Run pi detect /path/to/your/project to detect project dependencies
  • Run pi /path/to/your/project to download SDK and configure project
  • Run pi build /path/to/your/project to build the project from source code <img width="1550" height="1262" alt="Image" src="https://github.com/user-attachments/assets/1f39cd73-5f2a-484f-9351-05d5c43459c9" />

Supported Platforms

  • Windows
  • macOS

Supported Project Types

  • Android projects
  • Flutter + Android projects

Download

Comments

Loading comments...