Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EMR Analyzer
v1.0.0Linux 系统上开源大数据应用分析诊断工具。支持服务状态检查、参数配置获取和调优、任务报错分析并提供优化建议。支持 YARN、Hive、HDFS、Spark、Impala、Trino、Tez、StarRocks、HBase、Kafka、ZooKeeper、Ranger、OpenLDAP、Hue、Flink。
⭐ 0· 38·0 current·0 all-time
byqinyafei@qinyafei123
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim a local Linux EMR/BigData diagnostics tool. The included scripts read logs, check processes/ports, and parse configs for many Hadoop-ecosystem services — this is coherent with the stated purpose. Config/log paths under /etc/taihao-apps and /etc/ecm are nonstandard but reasonable for a packaged environment.
Instruction Scope
SKILL.md instructs running the three included Python scripts to inspect service status, config, and logs. Those scripts perform local file reads and execute system commands (ps/ss/netstat/ls/grep/tail/awk/systemctl/version commands) which are expected for diagnostics. However the scripts accept user-supplied service names/line counts and interpolate them into shell commands executed via subprocess.run(..., shell=True) without explicit sanitization, creating a possibility for shell injection or unintended command execution if untrusted inputs are passed.
Install Mechanism
No install spec or external downloads — the skill is instruction-only with bundled scripts. Nothing is fetched from external URLs or installed automatically, which reduces supply-chain risk. The included code will be written to disk when the skill is installed/executed by the agent.
Credentials
The skill requests no credentials or environment variables and does not call external endpoints. It does, however, read system config files and logs (e.g., /etc/... and /var/log/...) and attempts local service connections (e.g., invoking mysql -h 127.0.0.1 -P 8030 -u root -e ...) — these are consistent with a local diagnostics tool but grant the skill broad read access to system logs/configs. No network exfiltration endpoints are declared.
Persistence & Privilege
always is false and the skill does not request persistent elevated platform privileges or attempt to modify other skills. It runs on demand via the included scripts; autonomous invocation is allowed by default but not unusual for skills.
Scan Findings in Context
[use-of-subprocess-shell] unexpected: All three scripts use subprocess.run(..., shell=True) to execute system commands. Using shell=True is common for quick diagnostics but increases risk if user-controlled inputs are interpolated into shell strings.
[unsanitized-arg-interpolation] unexpected: Scripts accept a service name and other args from the command line and insert them directly into shell commands (e.g., ps/grep, generic '--version' fallbacks). If an agent supplies a crafted service_name, this could result in shell injection. This is a security weakness in implementation, even if not intentionally malicious.
[local-db-connection-command] expected: check_service_status.py includes a StarRocks version check that runs a local mysql command (mysql -h 127.0.0.1 -P 8030 -u root -e 'SHOW FRONTENDS;'). Local database queries are reasonable for service discovery/versioning, but this will attempt to connect as root without credentials and may surface local DB output.
What to consider before installing
This skill appears to do what its description says (reading logs, checking services, and suggesting tuning). Before installing: 1) Review the three included Python scripts yourself — they execute many shell commands and interpolate arguments into shell strings (shell=True), which can enable command injection if untrusted inputs are passed. 2) Only run this skill in a trusted environment (or a sandbox) with limited attacker-exposed inputs. 3) If you plan to use it in production, consider hardening: sanitize/validate service_name and numeric parameters, avoid shell=True (use list args), and audit any commands that connect to local services (e.g., MySQL). 4) Confirm you are comfortable with the skill reading system config files and /var/log/* on the host. If you cannot review or harden the scripts, treat the skill as risky and avoid installing it on sensitive infrastructure.Like a lobster shell, security has layers — review code before you run it.
latestvk97bv26y1dj7me8njttrsat4c584g0dz
License
MIT-0
Free to use, modify, and redistribute. No attribution required.