ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenClaw Safe Install

v1.1.0

Safely review and install third-party OpenClaw Skills. Downloads to a temp directory, runs a 7-point security audit, generates a human-readable report, and o...

0· 33·0 current·0 all-time
by@shanggqm
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (securely download, scan, report, then install) match the instructions: the SKILL.md only asks the agent to download into a temp dir, enumerate and read files, grep for risky patterns, generate a report, and optionally copy to ~/.openclaw/skills/. Nothing requested (no env vars, no unrelated binaries) is disproportionate to the stated purpose.
Instruction Scope
Instructions ask the agent to git-clone / npm-pack user-supplied sources and to read every file in the downloaded repo line-by-line and run many pattern searches. That is expected for an audit tool, but it inherently gives the agent access to any secrets or sensitive files included inside the downloaded repository (e.g., .env). The skill correctly warns to operate only inside TEMP_DIR and not to install directly; ensure the agent enforces that boundary and does not execute scripts from the repo. Also the skill instructs use of exec/read (agent tools) which is consistent but should be run in a sandboxed environment.
Install Mechanism
This is a prompt-only (instruction-only) skill with no install spec and no code files to write to disk. That is low-risk and consistent with its purpose.
Credentials
The skill declares no required environment variables or credentials. The SKILL.md tells the auditor to search downloaded files for references to credentials (OPENAI_API_KEY, .env, openclaw.json) — appropriate for an audit. There is no unexplained request for unrelated secrets.
Persistence & Privilege
The skill is not marked always:true and is user-invocable only. It does not request modifying other skills or system-wide config. Autonomous invocation is allowed (default) but not combined with other concerning privileges.
Scan Findings in Context
[ignore-previous-instructions] expected: The scanner flagged the phrase 'ignore previous instructions'. SKILL.md explicitly lists such prompt-injection phrases as things to search for in target Skills (part of the hidden-instructions checklist). This appearance is expected in a scanner/auditor skill and not itself evidence of malicious instruction to the agent, but the file should be inspected to ensure the phrase is not used as an active instruction to the agent.
Assessment
This skill is internally coherent for its stated purpose: it downloads user-supplied repos/packages into a temp directory, scans them thoroughly, reports findings, then (optionally) installs. Before using it, you should: 1) run it in a restricted/sandboxed environment (so git/npm fetches can't harm your host); 2) confirm the agent does not execute any downloaded scripts — only read them; 3) verify the agent enforces the TEMP_DIR boundary (no reading of your home or system files); 4) review the generated report before allowing auto-install; and 5) if you see any hidden/obfuscated content or instructions in the target SKILL.md that tell the agent to override its own safeguards, treat that as dangerous and abort. If the SKILL.md actually contains active instructions that tell the agent to 'ignore previous instructions' or to exfiltrate files, or if the skill tries to auto-run setup scripts from the downloaded repo, reclassify as suspicious and do not proceed.
!
SKILL.en.md:240
Prompt-injection style instruction pattern detected.
!
SKILL.md:240
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9779ypaveew6ndmsk4dq39ecn83z0qq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments