ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

chezmoi

v0.1.1

chezmoi dotfile management. consolidate - merge duplicate templates [consolidate.md], cross-platform - Windows/macOS compatibility [cross-platform.md], docto...

0· 92·0 current·0 all-time
byes6kr@drumrobot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's files and guides align with a chezmoi dotfile-management purpose (template consolidation, cross-platform fixes, MCP sync, and a 'doctor' that installs helper scripts). However some pieces are narrowly focused on Claude/Cursor/UTCP workflows (e.g., copying claude-source.sh, editing ~/.claude.json) — that is plausible for a chezmoi repo used to manage those app configs, but it means the skill touches multiple app config files beyond generic dotfiles. Overall capability matches the described purpose, but the scope is broader than a minimal 'chezmoi helper'.
!
Instruction Scope
The SKILL.md instructs the agent to read and modify many local files (e.g., ~/.local/share/chezmoi/.chezmoitemplates/mcp-servers.json, ~/.claude.json, ~/.cursor/mcp.json, ~/.utcp_config.json) and to copy scripts into ~/bin. It references running chezmoi apply, cp, chmod, jq, and using AskUserQuestion for multi-selects. It also references environment variables (MCP_JSON, EXTRA_SETTINGS, SOURCEGIT_EXECUTABLE, CHEZMOI_OS) and $USER paths that are not declared in the skill metadata. Those undeclared runtime assumptions are scope-creep and could cause the agent to access or write configuration files unexpectedly.
Install Mechanism
This is instruction-only with no install spec; nothing is written by a packaged installer. That lowers supply-chain risk. The only included executable is a small helper script (bin/claude-source.sh) provided in the skill bundle.
!
Credentials
The skill metadata declares no required env vars, but the instructions and template examples rely on multiple environment variables (MCP_JSON, EXTRA_SETTINGS, SOURCEGIT_EXECUTABLE, CHEZMOI_OS), plus use $USER and assume certain home paths. In particular, MCP_JSON and EXTRA_SETTINGS are used as inputs to jq pipelines. The mismatch between declared and actually-used env variables is a proportionality and transparency issue.
Persistence & Privilege
The skill does not request always:true and does not modify other skills' configs, but its documented workflows include copying files into ~/bin and applying chezmoi changes system-wide (multiple app config files). Autonomous invocation is allowed by default (platform default) — combined with the ability to run chezmoi apply and copy executables, this increases the blast radius if the agent runs the skill without clear user confirmation. The SKILL.md repeatedly emphasizes running 'chezmoi diff' and asking the user for approval before applying; users should ensure those safeguards are enforced.
What to consider before installing
This skill appears to implement a real chezmoi workflow, but there are several things to check before you install or let an agent run it autonomously: - Review the included helper script (bin/claude-source.sh). It launches a local 'claude' command with --dangerously-skip-permissions which bypasses permissions checks for that CLI; only install if you trust that binary and understand the consequences. - Expect the skill to copy files into your home (~/bin) and to modify multiple application config files (~/.claude.json, ~/.cursor/mcp.json, ~/.utcp_config.json, etc.) via chezmoi apply. Make backups and run chezmoi diff yourself before applying any changes. - The SKILL.md references several environment variables (MCP_JSON, EXTRA_SETTINGS, SOURCEGIT_EXECUTABLE, CHEZMOI_OS) but the skill metadata does not declare them. Ask the author (or inspect templates) to confirm which variables are required and where they come from. Treat any steps that use undeclared env vars as potentially risky. - Because the skill can write files and run commands, prefer explicit user invocation rather than allowing autonomous runs. If you will let an agent run it, ensure AskUserQuestion prompts are enforced and review the diffs/ask prompts before any 'chezmoi apply' is executed. - If anything is unclear, request the maintainer to: (1) declare required env vars in metadata, (2) remove or explain --dangerously-skip-permissions usage, and (3) provide a dry-run-only mode that never writes to home without explicit signed confirmation. If you want, I can extract the specific lines that reference undeclared env vars and the exact files that will be written so you can audit them more easily.

Like a lobster shell, security has layers — review code before you run it.

latestvk97703ayqmvyef6wrq74h0kr1x84md0j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments