Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

NormieClaw Full Stack

v1.0.0

Every NormieClaw skill in one download. 34 production-tested OpenClaw skills covering productivity, finance, health, education, content creation, and more. I...

⭐ 0· 51·0 current·0 all-time

by@nollio

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The package name and description match the delivered contents: it's a single archive bundling 34 distinct NormieClaw skills, each with its own SKILL.md, scripts, and dashboard kit. Requesting no credentials and no special binaries is consistent with a local-only toolset. The scope (many different sub-skills, local JSON data, dashboard templates, and shell/python scripts) is large but coherent with a 'full stack' bundle—however, the absence of provenance (unknown source, no homepage) makes the large bundle suspicious from a trust/provenance perspective.

Instruction Scope

The provided SETUP-PROMPT explicitly tells users to paste a block into their agent chat that runs a sequence of shell commands (find/cp/mkdir/chmod/etc). That installation mechanism asks the agent to perform filesystem operations and set permissions — reasonable for installing local skills but risky if you don't trust the source or the agent. The top-level SKILL.md also contained prompt-injection patterns flagged by the scanner (e.g., 'ignore-previous-instructions', 'you-are-now' and unicode control chars), which indicates the instructions themselves may attempt to influence agent behavior. Some sub-skill SKILL.md files contain explicit prompt-injection defenses (good), but the presence of injection markers at the package level is a red flag.

ℹ

Install Mechanism

There is no remote install step (no downloads from external URLs) which reduces risk from arbitrary remote code fetch. The install flow is instruction-only: copying files from the bundle into your agent workspace and creating data directories. That is low on direct supply-chain concerns but still writes many files into your workspace and includes executable scripts (shell and Python) that could be run by the agent or by you. The 'find ... -exec cp' pattern used in SETUP-PROMPT is unusual (copies matching files from anywhere in the filesystem tree into the skills folder) and could overwrite or pull in unexpected files if misused.

ℹ

Credentials

The registry metadata declares no required environment variables or credentials, and most per-skill SECURITY.md files claim local-only operation. That is appropriate for the described functionality. However, some templates and manifests (dashboard/database schemas, supabase-server template) reference DB concepts and local hosting — they may prompt you later to configure external services. No direct env/secret exfiltration markers were declared, but lack of provenance increases risk if later manual setup steps request credentials.

ℹ

Persistence & Privilege

The skill is not marked 'always:true' and uses the platform-default for autonomous invocation. Installing this bundle will place many skills and executable scripts in your workspace (persistent files) which increases attack surface; the package does not request system-wide privileges explicitly. The main risk is the agent being instructed (or persuaded via injected prompts) to run those scripts or copy/overwrite files — not the metadata's privilege flags themselves.

Scan Findings in Context

[ignore-previous-instructions] unexpected: This pattern is a common prompt-injection token. It is unexpected in a benign SKILL.md and may be an attempt to alter agent instruction-following behavior. Even if some sub-skills include prompt-injection defenses, the presence of this token at the package level is concerning.

[you-are-now] unexpected: Another prompt-injection phrase that could be used to change agent role/context. Not necessary for a straightforward installation SKILL.md and thus raises suspicion about manipulation attempts.

[unicode-control-chars] unexpected: Use of unicode control characters is a known technique to hide or obfuscate instructions from human reviewers while still influencing an LLM. Their presence in SKILL.md is unexpected and should prompt manual inspection of the file contents (and any hidden characters).

What to consider before installing

This bundle contains a lot of local scripts and many SKILL.md files — treat it as untrusted code until you verify it. Before installing: 1) Verify provenance: who published it, are there checksums or a signed release, is there an official homepage or Git repo? 2) Inspect the top-level SKILL.md and each SETUP-PROMPT block for any hidden/injected content (look for the flagged phrases and for invisible unicode chars). 3) Do NOT paste the provided setup block into a production agent chat or run it on your main workstation without review — that block asks the agent to execute filesystem operations; run similar steps yourself manually in a sandbox if you decide to proceed. 4) Run the code in an isolated environment (VM or container) or on a throwaway account first; check scripts for any network calls, remote endpoints, or commands that might overwrite critical files. 5) Search the repository for suspicious patterns (curl/wget to external hosts, base64/decode/exec, git remote add, ssh, scp, rsync, nc/socat) and review any scripts that will be executed by the agent (shell scripts and python scripts). 6) If you want this package but don't trust the bundle, extract only the individual skills you need and audit them separately. Additional information that would raise confidence: a known publisher/homepage, cryptographic signatures or checksums, or an independent security audit for the full bundle.

budget-buddy-pro/SKILL.md:20