Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Native Run
v0.0.1Execute native commands on the local Windows machine and return their output to OpenClaw for automation and testing purposes.
⭐ 0· 667·5 current·5 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and SKILL.md say the skill executes native commands locally; the included Python HTTP server and JS entry point do exactly that (they accept an incoming command and run it). That behavior is coherent with the claimed purpose. However, the skill metadata and docs do not line up with the code: SKILL.md example uses 'Run native: whoami' but the JS looks for 'Run command:', and skill.json references a non-existent 'skill.js' entry point. These mismatches reduce confidence that the package is well-constructed.
Instruction Scope
SKILL.md describes a simple pattern-based local command runner but omits operational details (how/when to start the Python server). The runtime files actually start an HTTP server that accepts arbitrary commands and runs them with shell=True — very broad capability. The documentation and code disagree on the trigger phrase and on platform details (doc says Windows; code is cross-platform). The instructions do not limit or sanitize allowed commands, nor do they explain the hardcoded token or how to secure the service.
Install Mechanism
There is no install spec (instruction-only), which is low-risk in isolation. However, the repository includes executable code (a long-running Python HTTP server and a JS entrypoint) that will be placed on the gateway if installed; those files will run arbitrary shell commands if launched. The lack of an install spec means there's no controlled install step to set up secure defaults (e.g., change token, restrict bind address).
Credentials
The skill declares no required environment variables or credentials, which superficially seems minimal. But it embeds a long, hardcoded token in both the Python and JS files. Hardcoded secrets in code are sensitive: anyone with file access can use or leak the token, and if the service is accidentally exposed beyond localhost, that token grants remote command execution. No justification is provided for this hardcoded secret.
Persistence & Privilege
always is false (good). The skill includes a server that, if executed, will run persistently (HTTP server on localhost:8080) and accept command execution requests. Autonomous invocation by the agent is allowed (disable-model-invocation is false), which is expected for skills but increases blast radius: an agent could trigger the skill to call the local runner. The package does not request elevated system config, but the long-running server behavior should be treated like persistence and secured appropriately.
What to consider before installing
This skill will run arbitrary shell commands on the gateway machine — a high-risk capability that appears intentional. Before installing: (1) Do not deploy on any machine you don't fully control or trust. (2) Fix the mismatches: update skill.json to point to the actual entry file, and align SKILL.md examples with the JS pattern (or vice versa). (3) Remove the hardcoded token: require a configurable secret via secure environment variable or platform-managed credential, and rotate it. (4) Implement command whitelisting/sanitization and restrict the server to localhost or a secured socket. (5) Consider running the service in an isolated container or VM with limited privileges. If you cannot inspect and remediate the code yourself, treat this package as unsafe to install on production or sensitive systems.Like a lobster shell, security has layers — review code before you run it.
latestvk971fjeh810nkpjajat4x76d0h813y9h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.