Skillv1.0.1

ClawScan security

技能商店客户端 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 15, 2026, 1:13 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill is generally coherent with being a local skill-store client, but it performs risky operations (unsafe archive extraction, hardcoded root install path, arbitrary downloads) that are security-relevant and not justified or mitigated in the files provided.
Guidance: This package does what it claims (query a local skill store and install skill archives), but it contains risky behaviors you should consider before installing or running it: - Unsafe archive extraction: zipfile.extractall and tarfile.extractall are used without any path sanitization; specially crafted archives can overwrite files anywhere the process can write. Treat downloads as untrusted data. - Hardcoded install path: it writes to /root/.openclaw/workspace/skills/, which assumes root and a specific layout. Run as a non-privileged user and change SKILLS_DIR to a safer location. - No integrity checks: downloaded packages are not validated (no signatures or checksums). An attacker controlling the shop endpoint can supply malicious packages. - External commands: RAR extraction invokes the system 'unrar' binary; that executes external code and may have its own risks. Recommendations before use: - Only point SHOP_BASE_URL to a shop you control and trust (default is localhost). Verify the server endpoint and run it in a secure environment. - Don't run this as root. Change SKILLS_DIR to a dedicated non-root directory you control. - Add or require package signatures/checksums and validate them before extraction. - Replace extractall with safe extraction that prevents path traversal, or validate archive entries before writing. - Audit any skill packages you install before executing them. Given these issues, treat the skill as suspicious until the extraction and path/config practices are fixed or until you can audit the shop and packages it will download.

Review Dimensions

Purpose & Capability: noteThe code implements the advertised functionality (list/search/install skills from a shop). Dependencies (requests, python) match the purpose. However the install target is hardcoded to /root/.openclaw/workspace/skills/, which is surprising (assumes root and a specific filesystem layout) and should be configurable rather than baked into the script.
Instruction Scope: concernThe script downloads arbitrary skill packages from SHOP_BASE_URL and extracts them to disk. Extraction uses zipfile.extractall and tarfile.extractall without path sanitization, which is vulnerable to zip-slip / tar path-traversal and can overwrite arbitrary files. It may also invoke system 'unrar'. The SKILL.md does not warn about these risks, nor does the code validate signatures/checksums or restrict allowed paths.
Install Mechanism: noteThere is no separate installer (instruction-only plus an included main.py). No external install URLs are used; downloads are performed at runtime from SHOP_BASE_URL (default localhost). The lack of an install spec is low risk on its own, but runtime downloads/extraction introduce higher risk as noted above.
Credentials: noteThe skill requests no credentials or env vars, which aligns with its stated purpose. However it requires write access to a hardcoded root-owned path and uses /tmp for extraction; this implicit requirement (root write access) is not declared in metadata and is disproportionate to a general client tool.
Persistence & Privilege: okalways is false and the skill does not modify other skills' configuration. Installing downloaded skill packages into the skills directory is expected behavior for a store client. The capability to drop arbitrary files into the skills directory increases blast radius but is consistent with the stated function.