Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
linux-forensics-automation
v1.0.0Automates Linux forensic data collection, generates detailed reports, and uploads them to Google Drive or emails results for fast incident response and audits.
⭐ 1· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description claim a turnkey automation that runs local collection and uploads results. However the SKILL.md references several scripts (linux_forensics.sh, forensics_and_upload.sh, upload_to_drive.py, send_email.py, setup_gmail.py) that are not included in the skill bundle and there is no homepage or source link. That is inconsistent: either the skill should include or point to the implementation, or it cannot deliver its promised capability.
Instruction Scope
The instructions explicitly tell the user/agent to collect broad, sensitive system data (logs, passwd/sudoers, recent files, full process arguments) and to upload or email those results. Collecting and transmitting this data is coherent with a forensics purpose, but the SKILL.md gives no safeguards (confirmation prompts, filtering/minimization, or explicit consent step) and assumes scripts exist locally. The combination of broad data access + automated upload without provided code or provenance is a security concern.
Install Mechanism
There is no install spec and no code files — the skill is instruction-only. That is low-risk by itself, but here the instructions direct users to run scripts that are absent, forcing users or agents to obtain code from unspecified sources. That gap raises high risk because fetching/running unknown scripts is a common vector for malicious code.
Credentials
The registry metadata declares no required environment variables or primary credential, yet the instructions require Google OAuth credentials and saving tokens (e.g., ~/.gmail_tokens.json). Credential handling is therefore un-declared in the registry metadata. Requesting OAuth tokens for Drive/Gmail is expected for the described functionality, but the absence of declared credential requirements and lack of guidance on least-privilege or service-account alternatives is a proportionality and transparency concern.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (defaults). The agent may still invoke it autonomously (disable-model-invocation is false), which increases risk if an agent runs these flows without explicit human approval because uploads could exfiltrate sensitive data. This is noteworthy but not by itself a disqualifying privilege.
What to consider before installing
Do not run or trust the scripts referenced here unless you can inspect their source. Before installing/using: 1) Ask the publisher for the full source code or a trustworthy repository/homepage; verify the code in the registry matches that repo. 2) Have a security reviewer audit the scripts for what they collect and how they transmit data. 3) Prefer service accounts or scoped credentials rather than personal Gmail OAuth; ensure tokens are stored securely and rotated. 4) Run initial tests in an isolated sandbox or disposable VM and run scripts as a non-root user where possible. 5) Require explicit confirmation and data-minimization (exclude directories that should not be uploaded) before any automated upload. If the publisher cannot provide source or provenance, treat the skill as unsafe to use.Like a lobster shell, security has layers — review code before you run it.
latestvk97bq34agezhyk4q75w28dmc2d83gbz0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.