Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
China Mirrors
v1.2.0自动配置 Python pip、npm、yarn、pnpm、cargo、go mod、NuGet、RubyGems、Conda、Homebrew、Gradle 等包管理器的国内镜像源。使用当用户提到下载慢、安装依赖、配置镜像、加速包下载、设置国内源,或在中国大陆开发需要加速依赖安装时。支持阿里云、腾讯云、清华大学...
⭐ 0· 16·0 current·0 all-time
byNormDist@normdist-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description match the code and SKILL.md: scripts and instructions only touch package-manager configuration and test mirror endpoints. No unrelated credentials, external endpoints, or unexpected components are requested.
Instruction Scope
SKILL.md and scripts instruct the agent to detect installed tools, run local helper scripts, and modify per-user and project configuration files (~/.pip, ~/.cargo/config.toml, .npmrc, shell rc files, NuGet.Config, etc.). This is expected for the purpose, but some actions are potentially destructive: e.g., NuGet.Config is written with a <clear/> element (which clears existing package sources) and the Ruby script runs 'gem sources --remove https://rubygems.org/' which removes the default source. The skill also appends GOPROXY exports to shell rc files and may require restarting the shell.
Install Mechanism
Instruction-only skill with shipped scripts (no installer or remote downloads). No third-party install URLs or archives are fetched by the skill itself.
Credentials
No environment variables or credentials are requested. The scripts check and use locally installed CLI tools (pip/npm/go/dotnet/gem/conda/etc.), which is appropriate for configuring those package managers.
Persistence & Privilege
The skill modifies user configuration files and shell startup files (persistent, user-scoped changes). always:false and no cross-skill/system-wide privilege escalation. Because it makes persistent changes to user config, users should be aware and back up configs before running.
Assessment
This skill is internally consistent for configuring domestic mirrors, but inspect and back up your environment before running: 1) Review the scripts (scripts/config_all.py, config_pip.py, config_npm.js) to confirm the mirror URLs are acceptable. 2) Backup config files (e.g., ~/.pip/pip.conf, ~/.cargo/config.toml, ~/.npmrc, ~/.bashrc/.zshrc, NuGet.Config) because the scripts write/append to them; NuGet.Config uses <clear/> which will remove existing package sources and the Ruby configuration removes the default rubygems source. 3) Test in a non-production environment or run the scripts with the --show/--list options where available first. 4) Consider running scripts/test_mirrors.py to verify mirror reachability from your network. 5) Note there are minor code issues (e.g., a bug in validate_mirror_key in config_all.py referencing an undefined variable) — these may cause failures but not malicious behavior. If you are uncomfortable, run the commands manually following the SKILL.md steps instead of executing the supplied scripts.scripts/config_npm.js:35
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97egs8vd9xwkqckcjxwmgak99849je9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.