Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawLock
v2.3.0ClawLock — 综合安全扫描、红队测试与加固工具,支持全平台。 当用户明确要求安全扫描、安全体检、安全加固时触发: 「开始安全体检」「安全扫描」「检查 skill 安全」「安全加固」「探测实例」 「scan my claw」「security check」「drift detection」「red team...
⭐ 1· 160·0 current·0 all-time
byg0at@g1at
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a legitimate security scanner/hardening tool that reasonably needs to read configs, find installations, and optionally call CVE/LLM/red-team services. However, the registry entry lists no required binaries, env vars, or install steps while the SKILL.md metadata explicitly references python>=3.9, a pip package ('clawlock') and a 'clawlock' binary. That mismatch between declared registry requirements and the skill's own instructions is inconsistent and unexplained.
Instruction Scope
The runtime instructions tell the agent to read Claw configuration files and system locations, perform local scans, optionally truncate and send code snippets to an external LLM if --llm is used, run optional promptfoo red-team tests (requires Node.js) and perform network version checks against PyPI/GitHub. They also instruct the agent to perform package updates (pip install -U clawlock) and to fetch and overwrite local SKILL.md files from GitHub. Those actions grant the skill broad discretion to modify local files and to send truncated code/prompts externally; the SKILL.md contains privacy promises but the agent instructions still allow powerful I/O and network behavior that must be explicitly authorized by the user.
Install Mechanism
No formal install spec is provided in the registry (instruction-only), yet the SKILL.md instructs using pip install (PyPI) and pulling skill files from GitHub, then running the installed binary. Installing from PyPI is a common pattern, but the skill also instructs to overwrite local skill files fetched from GitHub and to run updates inside the conversation — operations that write to disk and execute code. Those behaviors are higher risk and should be surfaced before allowing automatic execution.
Credentials
The registry declares no required environment variables or credentials, but the SKILL.md references an optional CLAWLOCK_CLOUD_URL and explicitly relies on user-provided LLM API keys when --llm is enabled. The skill will read local Claw config files (which may contain secrets) as part of scanning. The combination of reading potentially sensitive local configs plus optional external LLM/red-team uploads (if enabled) is powerful; the skill does not declare these env/credential needs in the registry metadata, which is disproportionate / inconsistent.
Persistence & Privilege
The skill is not always-included and does not request autonomous invocation privileges, which is good. However, its instructions allow it to install/upgrade the clawlock package and replace local skill files when the user consents. That grants the skill significant capability to change local skill code and installed packages; such actions should require explicit, informed user approval and preferably manual confirmation rather than fully automated in-conversation updates.
What to consider before installing
This SKILL.md largely matches the stated purpose (a security scanner) but contains several red flags you should consider before installing or running it:
- Inconsistency: The registry lists no required binaries or env vars, but the SKILL.md expects python>=3.9, a 'clawlock' pip package/binary, Node.js for optional red-team tests, and may use an LLM API key. Ask why the registry metadata is empty or incorrect.
- High-impact actions: The instructions include network version checks, pip install -U clawlock, and fetching & overwriting local SKILL.md files from GitHub. Those will modify your environment — only allow them after you verify the exact commands and trust the package/repo.
- Data flow: By default scans are local, but optional features (--llm, red-team) will send truncated code snippets or prompt payloads externally. If you have sensitive secrets in configs, avoid enabling --llm or red-team, or run the skill in an isolated environment.
- Safer usage tips: run in an isolated VM/container or non-production machine; first run with offline flags (--no-cve --no-redteam and avoid --llm) to see local-only behavior; require explicit manual updates rather than in-conversation automatic pip/GitHub updates; inspect the PyPI package and the GitHub repo (verify publisher/trust) before permitting installs; never provide an LLM API key unless you understand which snippets are sent.
If you want to proceed, ask the skill to report exactly which online capabilities it will run this session and perform updates manually (not automatically) the first time.Like a lobster shell, security has layers — review code before you run it.
latestvk974t4jew5z0vhcjebe06ptb5s84t6qc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.