Catch My Skill
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: catch-my-skill Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability found in `index.js`. The `updateSkill` function uses `execSync` with unsanitized user input (`process.argv[3]`) when constructing `git clone` and `clawhub install` commands, which allows for arbitrary command execution. Additionally, `SKILL.md` instructs the agent to establish persistence via a cron job, which, while intended for legitimate updates, could be leveraged by an attacker exploiting the shell injection vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or manipulated skill name could cause unsafe shell behavior, and even normal use can change installed skills in the user's OpenClaw environment.
The update command takes a command-line skill name and interpolates it into shell commands that clone or install skills, without visible input validation, safe argument passing, or confirmation.
const arg = process.argv[3]; ... case 'update': if (arg) updateSkill(arg); ... execSync(`cd ~/.openclaw/workspace/skills && git clone ${repoUrl} 2>/dev/null`, { timeout: 30000 }); ... execSync(`clawhub install ${name}`, { timeout: 30000 });Use safe argument APIs such as spawn/execFile, validate skill names against a strict slug pattern, require explicit confirmation before installs, and restrict updates to trusted, known skills.
Updating through this skill may install or replace agent skills from external sources without strong assurance that the code is the intended version or from the intended owner.
The updater fetches skill code from GitHub or ClawHub by name, with no visible pinning, signature/checksum verification, version verification, or source review step.
const repoUrl = `https://github.com/${config.githubUsername}/${name}`; ... git clone ${repoUrl} ... catch { execSync(`clawhub install ${name}`, { timeout: 30000 }); }Pin trusted owners and versions, show the exact source before installation, verify integrity where possible, and avoid silently falling back to another install source.
If installed as described, the skill may keep running checks and writing logs in the background.
The documentation describes a persistent scheduled job that runs every 30 minutes. It is disclosed and aligned with periodic version checking, but it continues operating outside the immediate user request.
自动添加到 crontab: ... */30 * * * * node /path/to/catch-my-skill/index.js check >> /home/orangepi/.openclaw/logs/catch-my-skill.log 2>&1
Confirm whether a crontab entry is actually installed, make scheduling opt-in, and document how to disable or remove the recurring job.