ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weclaw Installer

v1.0.0

Automate installing and configuring the WeClaw WeChat bot environment on macOS. Use when the user asks to download/install WeClaw, set up a local Python envi...

0· 36·0 current·0 all-time
byHang Yin@popilopi168
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (WeClaw installer) matches the declared requirements (git, uv, python3) and the tasks (clone repo, run installer). However the skill package does not include the actual installer implementation (setup_package.py is referenced but absent), so the package cannot be verified as self-contained.
!
Instruction Scope
SKILL.md explicitly instructs the agent to clone an external GitHub repository and run a Python entrypoint that imports setup_package.setup_openclaw_package. The included wrapper (scripts/run_setup.py) will execute code from that external repo. The instructions also request an API key interactively. Downloading and executing code from an external, unreviewed repo and passing a user-provided API key to it is outside what can be validated from this skill bundle alone.
!
Install Mechanism
There is no formal install spec in the skill; instead the runtime instructions require cloning an external GitHub repository (https://github.com/Popilopi168/weclaw-package-upload-test) and executing Python code from it. Running arbitrary code fetched at runtime is higher risk because the executed module (setup_package.py) is not present in the published files for review.
Credentials
The skill declares no required environment variables but its runtime instructions tell the agent to ask the user for an API key (and pass it to the external setup). Asking for a single API key is reasonable for an installer, but the skill metadata does not declare this requirement and the behavior of code that receives the key (setup_package) cannot be audited here.
Persistence & Privilege
always is false and there is no install that persists or modifies other skills/system configs in the provided files. However, because the skill instructs execution of external code, autonomous invocation by the agent (default) would increase risk if the external code is malicious.
What to consider before installing
This skill instructs cloning and running code from an external GitHub repository while the core installer (setup_package.py) is not included in the skill bundle — that makes it impossible to audit what the installer will do. Before installing or running this skill: (1) Inspect the external GitHub repo yourself (especially setup_package.py) and confirm you trust its maintainer. (2) Do not paste your real API key until you understand how it will be used or stored; consider using a test key. (3) Run the installer in an isolated environment (VM/container) or on a throwaway account. (4) Ask the skill author to publish the missing setup_package.py (or include full installer code) and to declare the exact purpose of the API key. If you cannot review the external repository, do not run the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk974hw4a69bv49p34yahbssee983xd7h

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

OSmacOS
Binsgit, uv, python3

Comments