China Install Skills
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This installer is purpose-aligned, but it automatically runs post-install scripts that persistently change the user’s agent environment, shell PATH, cron jobs, memory, and ClawHub command behavior.
Only install this if you are comfortable with it running shell code at install time, adding cron/PATH changes, writing agent memory, and replacing `clawhub install` behavior. Review the scripts first and consider disabling the post-install hook or running setup steps manually.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill can execute local shell code before the user separately chooses to configure it.
The post-install hook runs a noninteractive shell initialization script automatically during installation.
export NONINTERACTIVE=1; "${SKILLS_DIR}/scripts/init-noninteractive.sh"Make post-install execution opt-in, clearly prompt before running initialization, and ensure registry/install metadata declares the hook.
The skill can keep influencing future agent and terminal behavior after the original install action is finished.
The initialization creates a cron job, persistent helper commands, PATH changes, and a replacement `clawhub` wrapper.
setup-cron.sh ...; cat > "$BIN_DIR/cinstall" ...; echo "export PATH=\"$BIN_DIR:\$PATH\"" >> "$SHELL_RC"; cat > "$BIN_DIR/clawhub"
Require explicit user approval for each persistent change and provide a complete uninstall/rollback command.
A mistaken or manipulated skill name/target could overwrite or remove installed skills and change agent behavior.
The installer deletes and replaces skill directories based on supplied target and slug values; the quick-install path invokes install with `--force`.
rm -rf "${TARGET}/${SLUG}" ... cp -r "${EXTRACTED_DIR}"* "${TARGET}/${SLUG}/"Validate slugs and target paths, avoid automatic `--force`, and prompt before deleting or replacing an existing skill.
Future agent sessions may trust and reuse this injected memory entry, including the changed command behavior, without the user actively adding it.
The skill automatically appends persistent instructions/status into the MAIN agent memory.
MEMORY_DIR="${AGENT_WORKSPACE}/agents/MAIN/memory" ... cat >> "$MEMORY_FILE" ... "clawhub install" 命令会被自动替换Ask before writing agent memory, label the entry as installer-created, and document how to remove it.
Users may believe the skill is limited to a workspace even though it changes broader local environment and persistent agent state.
These safety claims conflict with included scripts that edit shell rc files, create `~/.local/bin` commands, configure crontab, and write MAIN agent memory.
- 只在用户指定的 workspace 内操作 - 不修改系统配置
Correct the documentation to list all environment changes and require consent before making them.
For a tool that installs other skills, unclear source and install provenance make it harder to verify what code is trusted.
The artifact set presents unclear provenance and an instruction-only install posture while also containing executable hooks/scripts and docs that reference other repositories.
Source: unknown; Homepage: https://github.com/openclaw/openclaw; No install spec — this is an instruction-only skill.
Publish consistent repository metadata, declare all hooks/install behavior, and add integrity checks for downloaded skill packages.