CLI Anything Wrapper

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed CLI wrapper, but it gives OpenClaw broad local command execution and unpinned third-party install authority that should be reviewed before use.

Install only if you intentionally want OpenClaw to run local software through CLI-Anything. Treat --install and the manual setup steps as running third-party GitHub code, review or pin the repository first, prefer dry-run mode, and require explicit approval before actions that modify files, control OBS, alter Zotero or Ollama data, or run unfamiliar harness scripts.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (8)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # 执行 print(f"\n▶️ 执行: {cli_script} {args}") try: result = subprocess.run( [str(cli_script)] + (args.split() if args else []), cwd=harness_path, capture_output=True,
Confidence: 84% confidence
Finding: result = subprocess.run( [str(cli_script)] + (args.split() if args else []), cwd=harness_path, capture_output=True, text=Tru

subprocess module call

Medium

Category: Dangerous Code Execution
Content: for cmd in cmds: print(f"\n$ {cmd}") result = subprocess.run(cmd, shell=True, capture_output=True, text=True) if result.returncode != 0 and "already exists" not in result.stderr: print(f"⚠️ 命令可能失败: {result.stderr[:200]}")
Confidence: 99% confidence
Finding: result = subprocess.run(cmd, shell=True, capture_output=True, text=True)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill exposes shell-capable behavior while declaring no permissions, which can mislead users and any enforcement layer about what the skill is actually able to do. In this context, the skill is explicitly designed to invoke external CLIs and even install dependencies, so missing permission disclosure materially increases the chance of unsafe execution and weakens trust boundaries.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The documented purpose says the skill is a wrapper for calling software CLIs, but the behavior also includes downloading code, running installers, and probing the local environment. That mismatch is dangerous because users may consent to a simple wrapper while actually granting a skill the ability to fetch and execute external code and make system changes.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The skill is presented as a wrapper for invoking existing CLI functionality, but it also performs repository cloning and package/setup execution. That broadens the trust boundary from local command invocation to remote code retrieval and installation, which is a materially different and more dangerous capability for an agent-facing tool.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill can clone and initialize a remote GitHub repository on demand, introducing network retrieval of executable content that is not necessary for merely wrapping an already-installed tool. In an agent context, this is especially dangerous because it enables fetching and running third-party code without strong integrity validation or human review.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises invoking CLI functions for many applications without warning that those commands may modify files, trigger network activity, or change system/application state. Because it fronts powerful tools like Blender, LibreOffice, ComfyUI, and Ollama, understated risk can lead users to pass untrusted arguments or run destructive operations without understanding the consequences.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation instructs users to clone an external repository and run its setup script, which downloads and executes third-party code, but it does not explicitly warn about the trust and code-execution implications. In a skill whose purpose is to wrap arbitrary CLI tooling, this increases risk because users may treat the steps as routine and execute unreviewed installer logic in their environment.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal