Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (workspace config & skill index) matches many files that are local workspace tooling (cron, heartbeat, scrapers, feeders). However the bundle also includes utilities that directly manipulate other agent state/config (fix-agent-sessions.js, fix-sessions-complete.js), a WebSocket client that uses a hard-coded gateway auth token, and many exported data files (cookies, user data, phone/email). Some of these capabilities (editing agent.json across agents, direct gateway access) go beyond a simple 'index/config' description.
Instruction Scope
The SKILL.md text is minimal and benign, but the included files instruct or implement actions that read local config and secrets (feishu token lookups, reading ~/.openclaw config files, local cookies), connect to the local gateway (ws://127.0.0.1:18789) with a hard-coded token, and perform session migration/copying between agent directories. The runtime instructions in code access local files and modify agent configs/sessions not referenced in SKILL.md.
Install Mechanism
No external install/download mechanism is declared (instruction-only install), so nothing is pulled from remote during install. However the published bundle already contains many executable scripts and data files — installing this skill will place those files on disk and could grant them local execution when invoked.
Credentials
Registry metadata declares no required env vars, but multiple scripts expect or try to read secrets: FEISHU_APP_ID/FEISHU_APP_SECRET (and memory files contain plaintext Feishu app id/secret), a hard-coded gateway TOKEN is present in scripts/compact_session.py, and there are cookie/session files with session tokens for external sites (dianping). The skill therefore packages and uses multiple sensitive credentials without declaring or justifying them in SKILL.md.
Persistence & Privilege
The bundle contains scripts that modify other agents' configuration and session directories (fix-agent-sessions.js updates agent.json and sessions for multiple agents). While always:false and model invocation allowed are normal, these scripts have the ability to change system-wide agent state and copy session data across agents — a high-privilege action that should be explicitly documented and justified.
Scan Findings in Context
[base64-block] unexpected: The pre-scan flagged a base64-block pattern inside SKILL.md content as a potential prompt-injection pattern. The visible SKILL.md is short; this flag indicates the package may contain embedded data or injection-style content worth reviewing.
What to consider before installing
This package appears to be a full local workspace with automation scripts, but several red flags exist: it contains hard-coded tokens (gateway token in scripts/compact_session.py), plaintext Feishu app credentials in memory files, cookie/session dumps, and scripts that edit agent.json and copy sessions between agents. These actions can expose or move sensitive data and change other agents' state. Do not install or run this skill on a production machine or with real credentials unless you: (1) audit and remove or rotate any hard-coded secrets, (2) review and sandbox or disable scripts that modify /Users/<user>/.openclaw/agents/* and sessions, (3) ensure Feishu/third-party credentials are provided via environment variables or secure vaults rather than left in files, and (4) run the code in an isolated test environment first. If you trust the author and need the functionality, at minimum remove or rotate embedded tokens and thoroughly review fix-* and compact_session scripts before use.scripts/transcribe_youtube.js:27
Shell command execution detected (child_process).
skills/vtrain-food-analyzer/scripts/generate_food_report.js:27
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk972hy5fvhwd5df1vtev20nzes84ev8s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.