Skillv2.0.1

ClawScan security

指数通 · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 1:50 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The SKILL.md and content are coherent for a finance/index advisor, but the package includes installer/CLI/plugin scripts that can persistently modify the agent environment and fetch code from external URLs — behavior that goes beyond the described runtime instructions.
Guidance: What to consider before installing or running this skill: - If you only want the conversational/index-analysis behavior, you do NOT need to run the included install scripts — the SKILL.md describes a self-contained assistant that uses bundled references. Avoid running install.sh or cli/install.sh unless you trust the publisher and understand the changes. - The package contains installer/CLI code that will copy files into ~/.skillhub, ~/.local/bin, and ~/.openclaw, create wrappers, and configure a self-update URL. Those scripts also download archives from external hosts (skillhub-1388575217.cos.ap-guangzhou.myqcloud.com and lightmake.site). Running them gives the bundle persistent, auto-updateable presence on your system and the ability to configure the agent runtime. - Verify provenance before running any installer: confirm the publisher identity, hostnames, and tarball contents. Prefer reviewing the tarball locally (not piping curl | sh), and extract in a sandbox/VM to inspect files. If possible, run the skill in a restricted environment or container. - If you intend to install, consider these mitigations: set SKILLHUB_SKIP_SELF_UPGRADE=1 / SKILLHUB_SKIP_WORKSPACE_SKILLS=1 (or equivalent) to disable automatic updates/workspace installs; review and audit cli/skills_store_cli.py and cli/install.sh; check the URLs in cli/metadata.json and the install script; and avoid giving any credentials you do not intend to share. - Summary recommendation: SKILL.md content is coherent and looks benign for a finance assistant, but the presence of installers and automatic-update mechanisms that fetch code from external URLs is unexpected and elevates risk — treat this package as potentially risky unless you can verify and control the install process.
Findings: [pre_scan_injection_signals_none] expected: Static pre-scan found no injection signals. This does not contradict the concerns: the repository still contains installer and CLI scripts that perform network downloads and filesystem modifications even though no regex-based injection signatures were flagged. [remote-downloads_present] unexpected: install.sh downloads an archive from skillhub-1388575217.cos.ap-guangzhou.myqcloud.com; cli/metadata.json and CLI code reference lightmake.site and other external URLs. Such remote-download patterns are not expected for a purely instruction-only finance analysis skill.

Review Dimensions

Purpose & Capability: concernThe skill's name, description, and SKILL.md are purely financial (index analysis). However the bundle includes a skills-store CLI, installers (install.sh, cli/install.sh), a plugin (cli/plugin/*), and workspace skill templates (find-skills, skillhub-preference). Those files enable installing/configuring other skills, writing into ~/.skillhub and ~/.openclaw, and injecting policy into prompt-building — capabilities that are unrelated to a read-only financial analysis assistant and are not reflected in the declared requirements (which list no install spec or required binaries).
Instruction Scope: noteThe SKILL.md runtime instructions themselves stay inside the finance domain (analysis frameworks, output format, compliance constraints, and using bundled references). They do not instruct the agent to run installers or call external services. However, the repository contains scripts and a CLI that, if executed by a user or agent, would perform system changes and network fetches — scope creep exists in the package even if SKILL.md does not reference it.
Install Mechanism: concernNo install spec was declared in registry metadata, yet the package contains install.sh which (a) downloads a tarball from https://skillhub-1388575217.cos.ap-guangzhou.myqcloud.com/install/latest.tar.gz and extracts it, and (b) cli/install.sh copies files into ~/.skillhub and ~/.local/bin and may configure OpenClaw. Downloading and extracting archives from third-party URLs and creating persistent wrappers is a higher-risk install mechanism; the download hosts are not standard central release hosts (they appear to be hosted storage / lightmake.site), increasing risk of supplying arbitrary code.
Credentials: noteThe skill declares no required environment variables or credentials, which matches a read-only analysis skill. But included installers and CLI will write into user home (~/.skillhub, ~/.openclaw), create wrappers in ~/.local/bin, call openclaw if present, and set a self-update URL to remote manifests. These actions do not require secrets but do grant persistent network-enabled update behavior disproportionate to a simple assistant.
Persistence & Privilege: concernThe package contains scripts that, when run, create persistent artifacts (CLI wrapper, config files, plugin files under ~/.openclaw/extensions/skillhub) and configure auto-update/self-update URLs. Though always:false, installing those scripts gives the skillstore/installer persistent presence and update capability on the host — a notable privilege beyond the SKILL.md's runtime behavior.