Back to skill
Skillv1.0.0
ClawScan security
skill_install · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 26, 2026, 12:56 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill-installer script matches its stated purpose (installing OpenClaw skills) but contains unsafe file-handling (unsanitized zip extraction to a predictable /tmp path and use of copytree), which could allow path-traversal or filesystem overwrite attacks — proceed with caution and inspect ZIPs and run in a sandbox.
- Guidance
- This package appears to do what it claims, but the installer code has two practical safety issues you should consider before running it on a production machine: - Zip path traversal (zip-slip): the script calls zipfile.extractall() without sanitizing member paths. A malicious ZIP could include filenames like ../../etc/passwd or absolute paths and cause files to be written outside the intended temp folder. Always inspect ZIP contents before running (e.g., unzip -l my-skill.zip) and verify member paths. - Predictable temp dir and copy semantics: the script extracts to a fixed /tmp/openclaw_skill_temp and then uses shutil.copytree to overwrite the skills directory. An attacker on the same system could exploit the predictable temp path (symlink/TOCTOU). Also installing untrusted ZIPs as root can overwrite system-wide files. Recommendations: - Only install skill ZIPs from trusted sources and inspect their contents first (list files, check for .. or absolute paths, review scripts inside). - Run the installer as a non-root user and avoid running on production systems; prefer a sandbox or VM for initial testing. - Consider patching the script to use a secure temporary directory (tempfile.mkdtemp), validate/normalize zip paths before extraction, and refuse entries with absolute paths or '..' components. - Backup OpenClaw installation or test in a disposable environment before installing. If you can share the specific ZIP(s) you intend to install or run the script in a controlled environment, confidence in safety could be raised after verifying those archives and/or fixing the extraction logic.
Review Dimensions
- Purpose & Capability
- okName, description, SKILL.md, README, and scripts/skill_install.py all align: the package is an installer for OpenClaw skills and only requires python3 and write access to the OpenClaw skills directory.
- Instruction Scope
- concernThe runtime instructions and the script perform local filesystem discovery, unzip provided archives, copy files into the global skills directory, and restart the Gateway — all expected for an installer. However the script uses zipfile.extractall without sanitizing member paths (risk of zip-slip/path traversal) and extracts to a predictable /tmp/openclaw_skill_temp (risk of symlink/TOCTOU attacks). These behaviors expand the attack surface beyond benign install operations.
- Install Mechanism
- noteThis is instruction + included script (no remote install). There are no remote downloads or network calls in the code. That lowers remote supply-chain risk, but because it runs local extraction and writes into system-level node_modules locations, local file-safety is important.
- Credentials
- okThe skill requests only python3 and no environment variables or credentials; this is proportionate to an installer that manipulates local files.
- Persistence & Privilege
- noteThe skill writes files into the OpenClaw skills directory and restarts the OpenClaw Gateway (openclaw daemon restart) — this is expected for installing new skills. It does not request always:true and does not modify other skills' configs beyond copying the installed skill files.