Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Grinders Farm

v0.3.3

Requires grinders-farm CLI + openclaw-plugin-grinders-farm before use. Maps intents to grinders_farm. 使用前需先安装 grinders-farm 与 openclaw-plugin-grinders-farm。

⭐ 0· 84·0 current·0 all-time

by@visawang

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Pending

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

Name/description (map intents → grinders_farm) matches the provided SKILL.md and the included plugin/CLI integration code. The repo contains an OpenClaw plugin that registers /farm and a skill that maps chat to a single grinders_farm tool call. One minor inconsistency: the SKILL.md and README require the grinders-farm CLI and the openclaw plugin, but the registry metadata only lists 'npx' as a required binary — the skill relies on external binaries (grinders-farm, openclaw) even if they aren't declared in the minimal required-bins list.

✓

Instruction Scope

Runtime instructions are narrowly scoped: map NL to a single approved grinders_farm command and execute that tool. The included plugin code performs local file reads/writes under ~/.grinders-farm and ~/.openclaw/media, starts local helper processes (image server, auto worker), and invokes the grinders-farm CLI via child processes — all consistent with the documented behavior. SKILL.md explicitly forbids arbitrary shell/exec use beyond the tool call, and the code adheres to running the game CLI and plugin-related flows rather than scanning unrelated user data.

ℹ

Install Mechanism

The skill is instruction-only (no install spec) but ships many source files including an OpenClaw plugin and package files. There is no remote arbitrary-download installer in the skill metadata. Installation requires the user to npm install the grinders-farm CLI and to install the openclaw-plugin-grinders-farm (the README and SKILL.md instruct to run openclaw plugins install with --dangerously-force-unsafe-install). That flag is a user action and raises an operational-security consideration (it forces plugin install), but the install mechanism itself is standard (npm/global CLI + OpenClaw plugin install) and not an opaque remote fetch from an untrusted URL.

ℹ

Credentials

The skill does not request secrets or credentials (requires.env is empty). The code does read environment variables (OPENCLAW_BIN, GRINDERS_FARM_ROOT, GRINDERS_FARM_CLI_BIN, NVM_BIN, etc.) to locate executables or override paths; these are non-secret configuration variables used for locating binaries. It does not require AWS keys or other unrelated secrets. Note: the package-lock included in the repo contains many third-party packages (e.g., AWS-related libs) in the lockfile, but the plugin package.json lists only peerDependencies for OpenClaw — review package.json/lockfile if you plan to run npm install from the repo.

ℹ

Persistence & Privilege

The plugin and CLI write persistent local state under the user's home (~/.grinders-farm) and stage media under ~/.openclaw/media. They also launch detached helper processes (image server, auto worker) and can auto-start background workers via plugin config. These behaviors are expected for this kind of plugin but do mean the software will create persistent files and background processes on install/when started.

Assessment

This skill appears to do what it says: translate user chat into a single grinders_farm CLI invocation and integrate with OpenClaw. Before installing, consider: 1) You must install two npm-based components (grinders-farm CLI and openclaw-plugin-grinders-farm) and restart the OpenClaw Gateway; the SKILL.md tells you how. 2) The plugin uses the --dangerously-force-unsafe-install flag when shown as an example — that bypasses some install safety checks; only run that if you trust the plugin source. 3) The plugin will create and write files in ~/.grinders-farm and ~/.openclaw/media and may spawn detached background processes (image server, auto-worker) that can auto-start via plugin config; be comfortable with that persistence. 4) No secrets or cloud credentials are requested, but the code does read path-related env vars (OPENCLAW_BIN, GRINDERS_FARM_ROOT, etc.) — these are for locating binaries, not for exfiltration. 5) If you plan to run npm install from the repository, review package.json and the lockfile for large/extra dependencies. If anything about the package source is untrusted or if you do not want background processes or local state files, do not install the plugin; you can still play manually via the grinders-farm CLI in the terminal without installing the OpenClaw plugin or this skill.

✗

openclaw-plugin/index.ts:52