skill_install
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real OpenClaw skill installer, but it can persistently change your agent by installing ZIP contents with weak validation and unsafe destination path handling.
Install only ZIP files you trust, inspect their SKILL.md, _meta.json, and scripts first, avoid running this installer with unnecessary admin/root privileges, and verify that the printed install path stays inside the expected OpenClaw skills directory.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or malformed skill ZIP could cause files to be written outside the OpenClaw skills folder, or could trick the installer into deleting an unexpected directory.
The install destination can be based on a name read from the ZIP's SKILL.md without visible validation. A crafted absolute path or '../' value could escape the intended skills directory; if the path exists the script can remove it after a prompt, and if it does not exist it can write there.
skill_name = line.split(':', 1)[1].strip() ... target_dir = os.path.join(self.skills_dir, skill_name) ... shutil.rmtree(target_dir) ... shutil.copytree(skill_source, target_dir)Reject skill names containing path separators, absolute paths, or '..'; resolve the final path and require it to stay under the skills directory before deleting or copying anything.
A ZIP that merely looks like a skill can be installed and made available to OpenClaw, even if it was not actually from a trusted source.
For a third-party skill installer, the visible structure validation only confirms that SKILL.md exists and starts with frontmatter before installation. It does not verify _meta.json, provenance, signatures, or the contents of included scripts.
if not content.startswith('---'):
return False, "SKILL.md 格式错误: 必须以 --- 开头"
return True, "skill 结构有效"Install only ZIPs you have reviewed and trust. The installer should enforce _meta.json checks, verify source/signatures where possible, and stage the skill for review before activation.
Running the installer with elevated privileges gives it the ability to alter installed skills and potentially overwrite existing content.
The installer needs permission to modify the OpenClaw skills directory. That is expected for this purpose, but it is still a privileged local mutation capability.
- Write permissions to OpenClaw skills directory
Run it with the least privileges needed, avoid sudo/admin unless required, and confirm the printed target path before approving overwrites.
A newly installed skill remains available after installation and may affect future OpenClaw sessions.
The script persistently copies a skill into OpenClaw and restarts the Gateway so it becomes available. This is disclosed and purpose-aligned, but users should understand it changes the active agent environment.
shutil.copytree(skill_source, target_dir) ... subprocess.run(["openclaw", "daemon", "restart"], capture_output=True, text=True, timeout=30)
Review the skill contents before installing and consider manually restarting or enabling the skill only after inspection.