ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Extractor

v1.8.1

Export any installed OpenClaw skill into a shareable ZIP: detects & stages external runtime files, generates STRUCTURE.md for LLM-guided install. Reads and p...

0· 93·0 current·0 all-time
byseph@seph1709
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (export an installed OpenClaw skill and its external runtime files) match the instructions: scanning skill locations, staging copies, detecting external paths referenced in SKILL.md, generating STRUCTURE.md, and zipping. No unrelated binaries, env vars, or installs are requested.
Instruction Scope
The runtime instructions read SKILL.md and resolve path-like strings pointing at user home/app-data locations and may copy any referenced files into the ZIP. This is consistent with the stated purpose but means the tool can include arbitrary user files (including credentials) if those paths are referenced. The SKILL.md mandates that the agent show detected files and obtain explicit user confirmation before copying; that mitigation is appropriate but relies on the agent actually prompting and the user making an informed choice.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk delivery model. Nothing is downloaded or written by an installer per the provided metadata.
Credentials
No environment variables, credentials, or config paths are required. The skill operates on local files and well-scoped OpenClaw skill directories only. It does resolve home/app-data paths but does not request unrelated secrets or tokens.
Persistence & Privilege
always is false and the skill does not request persistent presence or to modify other skills' configs. It stages temporary copies and cleans them up on success per instructions.
Assessment
This skill appears to do what it says: export a skill plus any external files referenced by its SKILL.md. Important things to consider before using it: (1) The tool will package files exactly as-is — that can include credentials, tokens, or other sensitive user data referenced by the skill; carefully review the detected external file list when prompted and abort if anything sensitive is present. (2) Be cautious exporting third-party/untrusted skills: an attacker could put references to sensitive paths (e.g., ~/.aws/credentials) in a SKILL.md to trick you into packaging secrets; do not confirm packaging unless you understand each listed path. (3) Confirm the target ZIP path before overwriting existing files (default is Desktop). (4) If you need to share a skill but not secrets, consider sanitizing or excluding external files and documenting runtime-generated placeholders in STRUCTURE.md instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bbkwvwf6kybv9b7hmv7tren83t46e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📦 Clawdis

Comments