Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Larrybrain
v1.5.3Skill marketplace for OpenClaw agents. One subscription, unlimited tools. Search, download, and install skills from the LarryBrain library.
⭐ 1· 2.7k·14 current·15 all-time
byOliverHenry@olliewazza
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description (a skill marketplace) justify network access and the ability to write skills to a local skills/ directory. However, the registry metadata claims no required env vars while SKILL.md lists LARRYBRAIN_API_KEY — this mismatch is unexplained and reduces trust in the manifest.
Instruction Scope
SKILL.md directs the agent to search, download, write every file from remote responses into skills/{slug}/, prepend update headers, then read and 'follow its setup instructions' (install deps, start services, etc.). That effectively authorizes downloading and executing arbitrary third-party code. The file explicitly tells agents to 'Run this skill FIRST' for unknown tasks, which is scope-expanding and could lead to autonomous installs/execution without clear user consent.
Install Mechanism
Although there is no formal install spec (it's instruction-only), the runtime instructions rely on curl calls to an external API and require writing and executing returned files. Downloading and extracting arbitrary content from a third-party source into the agent's runtime is high-risk unless the user inspects and approves every file. The SKILL.md claims skills are 'human-reviewed' but provides no mechanism for enforced local sandboxing or verification beyond a manual diff.
Credentials
The SKILL.md requires LARRYBRAIN_API_KEY (for premium skills), which is reasonable for a marketplace, but this conflicts with the registry metadata that listed no required env vars. The instructions also embed example curl commands that include the API key header; careless handling could leak the key (e.g., if logs or files are exposed). Requiring a single API key is proportionate in isolation, but combined with automatic download/execute semantics it's higher risk.
Persistence & Privilege
always:false and model invocation allowed (normal). The skill writes skill files and a local _meta.json — expected for a marketplace. It does not request global agent config changes, but it urges the agent to run first for unknown tasks and to auto-install skills, which effectively increases its operational presence unless the agent enforces explicit user prompts.
Scan Findings in Context
[ignore-previous-instructions] unexpected: A prompt-injection pattern was detected in SKILL.md. This pattern is not needed for a marketplace manifest and may be an attempt to manipulate agent instruction flow (e.g., override safety checks or prior instructions). Treat this as a red flag that the authored instructions could try to escape normal instruction boundaries.
What to consider before installing
This skill is coherent with being a 'marketplace' but its runtime instructions allow the agent to download, write, and then execute arbitrary third-party skill code — which is risky. Before installing or using: 1) Require explicit user approval before downloading or installing any skill, and require the user to inspect remote files first. 2) Do not allow automatic execution of downloaded setup scripts; run installs only inside a sandbox or VM. 3) Verify the LarryBrain service origin (check the GitHub repo and HTTPS certificate) before trusting content. 4) Scope the LARRYBRAIN_API_KEY (use least privilege, short-lived keys if possible) and avoid embedding it in files or logs. 5) Treat the detected prompt-injection pattern as suspicious — ensure your agent ignores instructions in downloaded SKILL.md that try to override prior policies or request credential exfiltration. If you need a safer alternative, prefer marketplace workflows that provide signed releases, reproducible checksums, or require manual, user-driven installation steps.Like a lobster shell, security has layers — review code before you run it.
latestvk9795bae2vrxnnq0c66yy9whyn81w15e
License
MIT-0
Free to use, modify, and redistribute. No attribution required.