Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
openlist
v1.0.0Execute safe file operations via OpenList API with preview-apply workflow for browsing, moving, renaming, deleting, offline tasks, and audit logging.
⭐ 0· 104·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and the included Python CLI implement browsing, move/rename/delete previews and apply, offline tasks, and audit logging against an OpenList HTTP API — this is coherent with the stated purpose. However the published registry metadata claims no required environment variables while SKILL.md (and the code) require OPENLIST_BASE_URL and OPENLIST_TOKEN. That metadata mismatch is unexpected and should be corrected/clarified.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python script and to read configuration from environment variables and from .env files at the repository root and skill folder. The code loads repo_root()/.env and skills/openlist/.env automatically; that can expose unrelated repository secrets if present. Apart from that, instructions limit network calls to the OpenList endpoints and require a preview/apply workflow for state changes which is appropriate. The .env reading behavior is a scope creep risk and should be explicitly acknowledged by the user.
Install Mechanism
There is no install spec or external download. The skill is delivered with a Python script that will run in the agent environment. No remote install or URL-based code pull was observed, which lowers installation risk.
Credentials
Requiring OPENLIST_BASE_URL and OPENLIST_TOKEN is reasonable for a service client. But the registry metadata omits these requirements (declares none), creating an inconsistency. Additionally, the script will merge OS environment variables with .env files and therefore can read any env var present; automatic reading of repo .env files could surface unrelated secrets — this is disproportionate if users assume only the two OpenList variables will be accessed.
Persistence & Privilege
The skill is not always: true and not requesting elevated platform privileges. It writes an audit JSONL to ~/.codex/openlist/audit.jsonl (declared in docs) but does not appear to modify other skills or global agent configuration. Autonomous invocation is enabled by default on the platform, which is normal; no extra persistence flags are present.
What to consider before installing
This skill appears to implement the OpenList preview-then-apply workflow and uses OPENLIST_BASE_URL and OPENLIST_TOKEN — which is appropriate — but the registry metadata incorrectly lists no required env vars. Before installing: (1) verify the skill's source/trustworthiness (homepage unknown, owner ID only), (2) ensure OPENLIST_TOKEN you provide is scoped minimally (not a full admin token if not needed), (3) understand that the script will read .env at the repository root and skills/openlist/.env (remove or audit those files first to avoid leaking unrelated secrets), (4) review the full openlist.py source to confirm there are no unexpected network calls or telemetry, and (5) run the skill in an isolated environment or with a token that has only the necessary permissions. If the publisher can correct the registry metadata and explicitly document .env reading and audit contents/redaction behavior, that would reduce concern.Like a lobster shell, security has layers — review code before you run it.
latestvk97czzhzymx5ttn59ynanac6k1832ykq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.