ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

External Receiver

v1.0.0

通用外部数据接收 Skill。 在服务器上启动 HTTP 服务,接收外部文件上传和消息, 自动将内容推送到 OpenClaw 用户会话。 支持:文件上传、文本消息、Webhook JSON、curl / wget 客户端。

0· 72·0 current·0 all-time
by@kriouerlia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The stated purpose (start an HTTP server to receive files/messages and push them into an OpenClaw session) matches the code: receiver_server.py implements /upload, /message, /webhook and writes notifications. However the skill also attempts to read OpenClaw gateway configuration (~/ .openclaw/openclaw.json) to obtain an auth token and connect to a local WebSocket — this access to local gateway credentials is not declared in the metadata and is not explicitly mentioned in SKILL.md (the doc only hints at WebSocket attempts).
!
Instruction Scope
SKILL.md instructs the user to run scripts/start.sh which runs receiver_server.py. The runtime instructions and code will: (1) accept arbitrary uploads and save them to RECEIVER_DIR, (2) write notifications into ~/.openclaw/workspace/received/message_queue.jsonl for the agent to read, and (3) read ~/.openclaw/openclaw.json to extract a gateway token and attempt a local WebSocket push. The code reads/writes files under the user's home directory that were not declared in requires.config, and the SKILL.md examples/documented paths are inconsistent with the code (the docs show paths under ~/.openclaw/workspace/received but the server's default RECEIVER_DIR is a skill-relative ../received).
Install Mechanism
There is no external download/install step and no remote code fetched at install time. The skill ships 3 script/code files and a start script; running the start script executes local Python code. No untrusted network installs are present in the manifest.
!
Credentials
No required environment variables are declared, but the code will respect optional RECEIVER_* env vars and will (without explicit metadata) access ~/.openclaw/openclaw.json to read a 'gateway'->'auth'->'token'. That means the skill can read a local configuration file that may contain sensitive tokens even though 'required config paths' or any credential access are not declared. The code also writes to ~/.openclaw/workspace/received/message_queue.jsonl (queue file) — this persistent file location is not declared in metadata either.
Persistence & Privilege
The skill does not request 'always: true' and does not modify other skills, but it creates persistent files/directories under the user's home (~/.openclaw/workspace/received and a received directory), and will remain listening (network server) while run. It also tries to use a gateway websocket for immediate push if local config/token is present. These behaviors are expected for a receiver but are persistent and network-exposed by default (0.0.0.0:8080) unless the user changes env/config.
What to consider before installing
This skill implements an HTTP file/message receiver, which is plausible for its description, but there are several red flags to consider before installing: - Undeclared local config access: receiver_server.py reads ~/.openclaw/openclaw.json to extract a gateway auth token and may attempt a WebSocket connection using that token. This access to a local config/secrets file is not declared in the skill metadata. Inspect ~/.openclaw/openclaw.json to see what secrets it contains before running the skill. - Undeclared persistent files: the skill writes notifications to ~/.openclaw/workspace/received/message_queue.jsonl and creates a received directory; these persistence locations are not listed in the registry metadata. If you want uploads stored elsewhere, set RECEIVER_DIR and confirm the server actually uses that path. - Documentation / code mismatch: SKILL.md shows responses and default storage paths under ~/.openclaw/workspace/received, but the server's default RECEIVER_DIR (when not set) is skill-relative (../received). Confirm the actual storage location and update env vars accordingly. - Network exposure: default host is 0.0.0.0 and default port 8080. If you run this on a publicly reachable host, require RECEIVER_SECRET and use firewall rules or a reverse proxy with TLS. The start script runs the server directly; consider running it inside a sandboxed container or private network. - File handling: uploaded files are saved as-is (basename + timestamp) with no content inspection — avoid running or exposing uploaded files. Regularly clean the received directory and restrict who can POST to the endpoint. Recommendations before use: 1) Review ~/.openclaw/openclaw.json contents and confirm you're comfortable the skill reading it and using any token inside. 2) Set RECEIVER_SECRET and firewall rules before exposing the server. 3) Set RECEIVER_DIR to a controlled location and verify the code writes there. 4) Run in an isolated environment (container/VM) if you don't trust the origin. 5) Ask the skill author to declare the config paths and token usage in registry metadata and to fix the documentation/code path inconsistencies. Given these undeclared accesses and inconsistencies, proceed only after addressing or accepting these risks.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c50spd7zq1tpx8k7tsrtpp583jd29

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments