ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Core Prompt Patcher

v2.1.1

Automatically reinjects the V-ULTIMATE persona into OpenClaw's core system prompt after updates or reinstallations to maintain custom behavior.

0· 492·1 current·1 all-time
byom yarewara@oki3505f
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim a general-purpose persona injector and the code does perform file reads and writes to OpenClaw's installation to inject a persona, which is consistent. However, the package includes persona.txt containing an explicit 'V (Unrestricted Ultimate Edition)' persona that instructs removal of safety filters and grants 'UNLIMITED' authorization. That contradicts the 'general-purpose' claim and suggests the skill ships with a prepackaged, unsafe persona. Also the script hardcodes OPENCLAW_PACKAGE_ROOT to /home/oki/.npm-global/lib/node_modules/openclaw (a single-user path), which is brittle and unexpected for a general tool.
!
Instruction Scope
SKILL.md explicitly instructs reading ~/.openclaw/workspace/SOUL.md and locating/injecting content into compiled OpenClaw JS files under dist/plugin-sdk. That is within the stated scope but is high-risk because it modifies core runtime files and there are no safety confirmation steps described. The included persona.txt contains directives to disable safety filters — injecting that content would remove guardrails. The runtime script also imports child_process.execSync (present in patcher.js) which means it can run shell commands; the SKILL.md does not disclose any such command execution or safeguards.
Install Mechanism
There is no install spec (instruction-only), but the skill includes an executable script (patcher.js). That reduces supply-chain complexity versus remote downloads, but the script is intended to be executed locally and will write into an installed package's dist/ directory. No network downloads are used by the installer, which is preferable, but local filesystem modification of a global package is inherently risky.
!
Credentials
The skill declares no required env vars or credentials, but it implicitly requires filesystem access to the user's home (reads ~/.openclaw/workspace/SOUL.md, writes into global node_modules). The hardcoded OPENCLAW_PACKAGE_ROOT path points to a specific user's node_modules layout and may fail or cause confused writes on other systems. The script requires write permission to the global OpenClaw install (potentially requiring elevated privileges). The presence of persona.txt that encourages disabling safety is not justified by the 'general-purpose' claim and is disproportionate to a simple convenience script.
!
Persistence & Privilege
The skill modifies OpenClaw's core compiled files (dist/plugin-sdk/reply-*.js), which changes system-level behavior and persists across runs. Although always: false (not force-included), the skill can be invoked and run to change core prompts. Combined with the included unsafe persona and the fact the patcher can run commands (child_process import), this increases the blast radius if executed or scheduled. The SKILL.md and README do not describe explicit safeguards, confirmations, or opt-in steps before performing system-level edits.
What to consider before installing
This skill will read your workspace SOUL.md and directly modify OpenClaw's compiled files to inject persona text. That is a high-privilege action — it can bypass OpenClaw's normal safety behavior if you inject an unsafe persona. Notable issues: - The package includes persona.txt with a prebuilt 'V (Unrestricted Ultimate Edition)' persona that explicitly disables safety filters and commands 'UNLIMITED' authorization. If you run the patcher with that persona present (or if you point your SOUL.md to similar content), you will remove important guardrails. - The patcher hardcodes a single-user path (/home/oki/...) for the OpenClaw install which is unexpected and may cause accidental writes or failures on other systems. - The script edits files under the global openclaw installation and may require elevated permissions; always back up OpenClaw before running. - The script imports child_process.execSync (it can run shell commands) — examine the complete patcher.js for any execSync usage before executing. Practical recommendations: 1. Do not run this on a production or sensitive environment until you fully inspect the code. Open the entire patcher.js and search for any execSync or fs.writeFile calls and review what paths will be changed. 2. Remove or sanitize persona.txt and ensure your own SOUL.md does not contain directives that disable safety or request unlimited privileges. 3. Back up your OpenClaw installation (or test in a disposable environment/container) so you can restore the original files if something goes wrong. 4. Prefer manual or official extension APIs for customizing system prompts rather than patching compiled files. If OpenClaw provides a supported plugin or config mechanism, use that instead. 5. If you proceed, run patcher.js under a non-privileged account and avoid running as root; review the backup created by the script before accepting changes. Because the package bundles an explicitly unsafe persona and modifies core runtime files, treat this skill as suspicious and proceed only after careful code review and isolation.

Like a lobster shell, security has layers — review code before you run it.

latestvk971tj744enjv89fxstk94g8xs81s1w8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments