Install Shared Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is an installer as advertised, but it uses an unsafe shell command that could let a crafted skill name run arbitrary local commands and it can affect skills shared by all agents.
Only install this if you intentionally need a shared/global skill installer and trust the exact skills you will install. Before use, the unsafe shell invocation should be fixed, and shared installs should require explicit confirmation with clear version/source details and rollback instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted skill name, or a mistaken tool invocation, could run arbitrary commands as the local user in the workspace.
skillName comes from process.argv[2] and is inserted into a shell command. Shell metacharacters in the skill name could execute additional commands; the same pattern appears in tools/install_skill.js.
const command = `clawhub install ${skillName} --workdir ./`; ... exec(command, { cwd: process.env.OPENCLAW_WORKSPACE || process.cwd() }, ...)Use child_process.execFile or spawn with an argument array, validate skill names against a strict slug pattern, reject shell metacharacters, and require user confirmation before running.
An unwanted or wrong skill could be installed into the shared OpenClaw environment and then be available to other agents.
The exposed tool installs an arbitrary named skill into a shared agent environment, but the artifacts do not describe approval, allowlist, version, publisher, or rollback controls.
Install OpenClaw skills at the local/system level so they are shared by all agents... Executes: `clawhub install <skill_name> --workdir ./`
Require explicit user approval, show the exact skill/version/publisher before installation, prefer workspace-scoped installs by default, and provide a clear uninstall or rollback path.
You may install whatever skill the chosen name resolves to, including future or similarly named packages if you do not verify it.
Fetching skills from ClawHub is the stated purpose, but installing by name without stated pinning or verification means the user relies on the registry resolution at install time.
Uses the clawhub CLI to fetch and install skills... Parameters: `skill_name`
Install only trusted skills, verify publisher/source details, and prefer pinned versions or reviewed skill identifiers when available.
A flawed or unsafe installed skill could influence all agents that use the shared skill directory.
A single install action can affect multiple agents and future sessions, so a bad install is not contained to the current task or workspace.
shared by all agents... global OpenClaw skills directory (not workspace-scoped)
Test new skills in a workspace-scoped environment first, require confirmation for shared installs, and keep a documented rollback path.