ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Aruba Iap Publish

v1.2.0

Comprehensive Aruba Instant AP (IAP) configuration management with automatic baseline capture, rollback support, and health monitoring. Supports device disco...

0· 751·2 current·2 all-time
by@scsun1978
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name, description, CLI, and code files (connection.py, operations.py, monitor.py, secrets.py, etc.) are coherent with Aruba IAP configuration/monitoring. However the registry metadata marked it as 'instruction-only' / no install spec while the package includes full source code and an install.sh — an inconsistency in packaging/metadata that should be explained by the publisher.
!
Instruction Scope
SKILL.md instructs running ./install.sh and using iapctl to connect to device IPs and capture/modify configs. That scope is expected, but the repo also contains many backup artifacts and full running-config files that include sensitive secrets (virtual-controller-key, RADIUS/shared keys, SNMP community strings, WPA passphrases or hashed passphrases). The documentation and examples sometimes show plaintext secrets and recommend creating secrets.json files in the repo if used; this increases the chance of credential leakage. The runtime instructions do not explicitly warn to remove these example/backups or to inspect install.sh before running.
Install Mechanism
There is no Registry install spec, but an install.sh is included and SKILL.md tells you to run it. That means install actions are performed by an unreviewed script in the package; this is higher risk than a pure instruction-only skill because it writes files and may install dependencies. The package does not reference remote download URLs in the manifest provided here (no evidence of remote fetch in metadata), but you should inspect install.sh before executing it.
!
Credentials
The skill declares no required env vars or primary credential (which is reasonable), and it supports secret_ref patterns and env: references for sensitive data. That's acceptable in principle — however the repository contains example secrets.json and actual backup artifacts containing live secrets/keys (virtual-controller-key, RADIUS key, SNMP community, WPA passphrases). Keeping such sensitive data in the skill repository is disproportionate and increases risk of accidental exfiltration if the repo is shared or pushed to remote systems.
Persistence & Privilege
The skill does not request always:true, does not declare system-wide config changes, and is user-invocable. It does include an install script which will create local files/binaries in the workspace when run, but there is no evidence it attempts to persistently enable itself across other agents or modify unrelated skill configs.
What to consider before installing
This skill appears to implement the advertised Aruba IAP operations, but exercise caution before installing or running it: - Inspect install.sh before executing it. The package contains an install script (not a registry install spec) so running it will execute code from the repository on your machine. - Review secrets/examples/backups in the repository. Several included backup files (show_running-config, backups/..., running-config files) contain sensitive values (virtual-controller-key, RADIUS keys, SNMP community strings and WPA passphrases). Remove or redact those files and any example secrets.json before placing the skill in production or sharing the repo. - Prefer secret_ref/env-based secret injection at runtime rather than storing secrets in files in the repo. If you must use a secrets.json file, keep it out of the skill workspace and out of version control. - If you will run this in a production environment, test in an isolated lab first. Verify the code (especially connection.py and install.sh) to ensure it only connects to the IPs you intend and does not transmit data to third-party endpoints. - Confirm the publisher/source. The skill lists Aruba's homepage but the owner ID is an unknown publisher; verify the origin/publishing trust before deploying in production. If you want, I can: summarize the exact lines/files that contain sensitive keys, extract the install.sh contents and highlight risky commands, or search the code for network endpoints and upload/exfiltration patterns.

Like a lobster shell, security has layers — review code before you run it.

apvk9730yn6zpfmm4d072gjffnqyx81n9a3arubavk9728vwad1n3bkhc6m0zsy60kh81qxvcautomationvk97ea51x6te827zyax1yj6kmn581ncmvclivk97ea51x6te827zyax1yj6kmn581ncmvconfigurationvk9728vwad1n3bkhc6m0zsy60kh81qxvciapvk9728vwad1n3bkhc6m0zsy60kh81qxvcinfrastructurevk9730yn6zpfmm4d072gjffnqyx81n9a3latestvk9728vwad1n3bkhc6m0zsy60kh81qxvcmanagementvk9728vwad1n3bkhc6m0zsy60kh81qxvcmonitoringvk9728vwad1n3bkhc6m0zsy60kh81qxvcnetworkingvk97ea51x6te827zyax1yj6kmn581ncmvsshvk97ea51x6te827zyax1yj6kmn581ncmvtroubleshootingvk9704vn36kj0htb846xtfwswq181mg4cwifivk9704vn36kj0htb846xtfwswq181mg4cwirelessvk9728vwad1n3bkhc6m0zsy60kh81qxvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments