Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EDA Spec2GDS
v1.0.1Drive an open-source EDA workflow from spec to GDS using OpenClaw skills, workspace files, and CLI tools. Use when the user wants to turn a hardware spec int...
⭐ 0· 73·0 current·0 all-time
byAuther@s906903912
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (spec → RTL → synthesis → OpenLane → GDS) aligns with the declared requirements: yosys, iverilog/vvp, docker, python3 and multiple scripts that implement the workflow. Declared permissions (sudo access for installs, docker_group) match the install script behavior. There are no unrelated credentials, binaries, or unexpected external services requested.
Instruction Scope
SKILL.md and the scripts focus on file-based EDA workflows and stepwise execution. The runtime instructions do include optional system-modifying steps (install_ubuntu_24_mvp.sh and bootstrap_eda_demo.sh) which perform package installs, start Docker, create a Python venv, and pull images. Those operations are within the skill's claimed scope but expand the agent's authority (need sudo, modify groups, network downloads). The documentation repeatedly warns to only run installs in an isolated environment.
Install Mechanism
There is no automatic install spec but the repository includes install scripts that run apt-get, pip install, and docker pull (Docker Hub). These use well-known package sources (apt, PyPI, Docker Hub) rather than arbitrary shorteners or personal servers, which is expected for this use case. Supply-chain risk remains (untrusted packages/images), so the scripts should be reviewed and images/pip pins verified before use.
Credentials
The skill requests no environment variables or secret credentials. The only environment/config changes are typical for toolchain setup: creating a Python venv (~$HOME/.venvs/openlane) and modifying docker group membership. The code does not attempt to read or exfiltrate secrets or access unrelated system config paths beyond typical install locations and the skill workspace.
Persistence & Privilege
The optional installation scripts enable and start the Docker daemon and add the user to the docker group (usermod -aG docker), which grants powerful privileges and is a common escalation vector. The scripts also modify system packages (/usr/bin, services) via sudo. These are expected for running OpenLane but are high-privilege actions — the skill documents and warns about them, but users should treat the install steps as potentially risky and run them only in isolated environments.
Assessment
This skill appears to be what it claims: an artifact-first EDA flow with optional setup scripts. Before running any install/bootstrap scripts: 1) review scripts/install_ubuntu_24_mvp.sh and scripts/bootstrap_eda_demo.sh line-by-line; 2) run installs only in an isolated VM/container or a disposable workstation (do NOT run on production); 3) be aware the installer adds you to the docker group and enables the Docker daemon — membership in the docker group effectively grants root-equivalent capabilities; 4) pin and verify package versions and Docker image checksums where possible (consider changing 'efabless/openlane:latest' to a specific digest); 5) if you do not want system changes, skip the install scripts and run only the file-based parts of the skill on a host that already has the required tools; and 6) monitor disk/network use (Docker images and OpenLane runs consume GBs). If you want, I can extract and summarize the exact install steps or point out any specific lines that warrant manual review.Like a lobster shell, security has layers — review code before you run it.
latestvk976hn8h6xwssdnpjcrvby3g35838v3w
License
MIT-0
Free to use, modify, and redistribute. No attribution required.