Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Configure Clawhub Domestic Mirror
v1.0.0用于配置 ClawHub 国内镜像地址以加速技能下载。当用户提到下载慢、配置镜像、设置 registry、加速安装或遇到网络超时时使用。若描述“包下载失败”、“连接海外慢”或“配置国内源”也应触发。涵盖环境变量永久配置、临时参数指定及验证方法,确保 CLI 稳定连接国内节点,解决访问延迟。
⭐ 0· 60·1 current·1 all-time
byRoger@roger0808
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Primary purpose (switch ClawHub to a domestic mirror) matches the script and most instructions: setting CLAWHUB_REGISTRY/CLAWHUB_SITE and validating with `clawhub search`. However, the SKILL.md also contains a lengthy 'Task record' describing syncing agent workspaces, creating learning files, restoring cron/jobs.json and other repository operations that are unrelated to configuring a mirror.
Instruction Scope
Core instructions stay within scope (write env vars to shell profile, source, run `clawhub search`). But the document additionally instructs or documents actions that would touch many paths and files (workspace/, .learnings/, TOOLS.md/MEMORY.md/LEARNINGS.md, cron/jobs.json, multiple git repositories). Those actions expand the agent's filesystem and git scope far beyond what a mirror config requires and could cause unintended writes or repository changes if executed.
Install Mechanism
No install spec — instruction-only plus an included shell script. The script appends exports to ~/.bashrc and sources it, then runs `clawhub search` if the CLI exists. Modifying ~/.bashrc is a normal, expected persistent change for this task but is irreversible without user action (should be reviewed/backed up before running).
Credentials
The skill does not request secrets or credentials. It proposes setting two environment variables (CLAWHUB_REGISTRY and CLAWHUB_SITE) which are appropriate and necessary for the stated goal. No unrelated credentials or config paths are demanded.
Persistence & Privilege
The skill does not set always:true and does not request elevated privileges, which is good. However, it performs a persistent change by appending exports to the user's ~/.bashrc. More importantly, the SKILL.md's task-record text references syncing and writing to multiple agent workspaces and config files (e.g., TOOLS.md, .learnings, cron/jobs.json, workspace/ directories). If the agent were allowed to act on that text autonomously, it could make persistent, cross-project changes beyond mirror configuration.
What to consider before installing
What to check before installing/using this skill:
- The mirror configuration itself is simple and reasonable: the included script appends two exports to your ~/.bashrc and sources it. Back up ~/.bashrc before running and review the script contents to confirm you want those persistent changes.
- Verify the mirror URL (https://cn.clawhub-mirror.com) is trustworthy for your environment; using an untrusted mirror can expose you to tampered packages.
- Pay attention to the SKILL.md 'Task record' — it contains unrelated instructions about syncing workspaces, restoring cron jobs, and modifying multiple files/repos. If you run this skill (or let an agent act on it) ensure it is not allowed to execute those broader project/git operations unless you explicitly want them.
- If you want only the mirror change, run the script manually after review, or manually add the two export lines and run `source ~/.bashrc`, then verify with `clawhub search "git"`.
- If you plan to let an autonomous agent invoke this skill, restrict its file system and git permissions or remove/clarify the unrelated task instructions so the agent cannot unintentionally modify multiple projects.Like a lobster shell, security has layers — review code before you run it.
latestvk976r113j9cvp276j00tm7xzw584d7wg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis