China Install Skills
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill can immediately run shell code that changes the user's OpenClaw and shell environment.
The hook explicitly runs a noninteractive initialization script immediately after installation, so setup code can execute before a separate user request.
# OpenClaw 会自动执行此脚本
export NONINTERACTIVE=1
"${SKILLS_DIR}/scripts/init-noninteractive.sh"Make post-install actions opt-in, declare them in install metadata, and show the exact changes before running them.
Future clawhub commands may be intercepted, and a weekly background task may run even after the original install task is over.
The initializer schedules cron, prepends a bin directory to PATH, and creates a clawhub wrapper, causing the skill to keep affecting future sessions and commands.
("${SCRIPT_DIR}/setup-cron.sh" "$AGENT_WORKSPACE" >> /tmp/china-install-init.log 2>&1) || true
...
echo "export PATH=\"$BIN_DIR:\$PATH\"" >> "$SHELL_RC"
...
cat > "$BIN_DIR/clawhub" << 'CLAWWRAP'Do not install command wrappers or cron jobs by default; require explicit confirmation and provide one uninstall command that removes cron, PATH edits, wrappers, and memory entries.
The agent may later treat this skill's command replacement as remembered context, even when the user did not explicitly ask for it.
The initializer appends operational instructions into the MAIN agent's persistent memory, which future conversations may reuse as trusted context.
MEMORY_DIR="${AGENT_WORKSPACE}/agents/MAIN/memory"
...
cat >> "$MEMORY_FILE" << EOF
...
现在 \`clawhub install\` 命令会被自动替换为使用 china-install-skillsAsk before writing to agent memory, keep entries factual rather than directive, and scope any record to this skill's own files where possible.
An ambiguous search could install or overwrite the wrong skill in an agent's skills directory.
The quick-install flow takes the first remote search match and force-installs it, without showing choices or requiring confirmation of the exact slug and overwrite.
SEARCH_RESULT=$(curl -sL "https://wry-manatee-359.convex.site/api/v1/skills?q=$(echo $QUERY | sed 's/ /+/g')" | ... | head -1)
...
"${SCRIPT_DIR}/install.sh" "$SLUG" "$TARGET" --forceRequire an exact slug or present candidates for confirmation, avoid --force by default, and validate that the destination remains inside the selected skills directory.
Users have less ability to verify who maintains the installer and whether the downloaded code path matches the published source.
The registry does not identify a skill-specific source and points to the general OpenClaw repository, which weakens provenance for a skill that downloads and installs other code.
Source: unknown Homepage: https://github.com/openclaw/openclaw
Publish a clear, skill-specific source repository, align registry metadata with the included docs, and use integrity checks for downloaded packages.
A user may approve installation believing it is a simple workspace-local installer when it also changes persistent command behavior.
The document says it modifies cron, PATH, and command behavior, but later claims it does not modify system configuration, which can make users underestimate the impact.
自动完成: - ✅ 配置每周自动更新检查(crontab) - ✅ 替换 `clawhub install` 命令 - ✅ 添加到 PATH ... ### 权限控制 - 不修改系统配置
Correct the safety wording and clearly disclose all persistent changes before installation.