m
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: m Version: 1.0.0 The skill bundle 'm' provides the agent with a broad and high-privilege set of system administration capabilities, including package management (sudo apt, dnf, brew), service control (systemctl, launchctl), and database migration (mysqldump). While these capabilities are aligned with the stated purpose of 'system management,' the inclusion of broad sudo access and destructive commands like 'rm -r' and 'apt purge' in SKILL.md constitutes a high-risk attack surface for an AI agent. There is no evidence of intentional malice or data exfiltration, but the scope of permissions is excessively wide for a general-purpose alias skill.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken command could delete files, overwrite destinations, or move data to the wrong place.
The skill documents shell commands that can permanently remove or overwrite local data. The comment advises confirmation, and the behavior fits the move/migration purpose, but it is still high-impact if run incorrectly.
rsync -avh source/ /mnt/other_disk/backup/ ... rm -r source/ # 确认后再删
Confirm source and destination paths before running commands, prefer interactive or dry-run modes where available, and keep backups before destructive moves.
Using these commands may change the whole system or access privileged databases, not just files in the current project.
The skill includes examples requiring elevated OS privileges or database administrator credentials. These are expected for package and data migration tasks, but they cross important permission boundaries.
sudo apt purge nginx ... sudo apt upgrade ... mysqldump -u root -p db > backup.sql
Use least-privilege accounts, require explicit user confirmation before sudo or root database operations, and verify the exact package, service, or database target.
A service could continue running or start on boot after the immediate task is finished.
The skill documents commands that can make services start automatically. This is disclosed under service management, but it creates persistent system behavior.
sudo systemctl enable nginx # 开机自启 ... Set-Service -Name "Spooler" -StartupType Automatic
Only enable startup behavior when the user explicitly asks for it, and document how to disable or roll back the service change.