ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Python Use Agent

v1.0.0

智能执行用户描述的Python任务,自动生成、执行代码并反馈结果,无需额外配置,兼容旧命令用法。

0· 9·0 current·0 all-time
by@jirboy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description ('Python Use Agent') align with the included files: the package provides mechanisms to generate, review, and execute Python code. Requiring no external credentials and no special binaries is reasonable for this purpose. However, config.json declares sandboxing and allowed/blocked imports and executor.py contains safety-check placeholders, while index.js implements direct execution of Python code via child_process.exec without invoking those safety checks — an implementation mismatch that weakens the claimed protections.
!
Instruction Scope
SKILL.md describes task->generate->execute workflow and notes sandboxing, but it does not instruct agents to avoid sending secrets or system data into generated code. executor.py contains _check_safety and other safety stubs, but index.js's executePython writes the code to a temp file and runs `python <file>` directly, with no pre-execution filtering, no blocking of dangerous patterns, and no enforcement of the config.json security settings. That means the agent can execute arbitrary Python that may read files, environment variables, or use network I/O — scope creep relative to the plain skill description.
Install Mechanism
No install spec (instruction-only with shipped code) — lowest install risk. package.json lists no dependencies and peerDependencies requiring Python; nothing is downloaded at install time and no external URLs are used.
!
Credentials
The skill declares no required environment variables (reasonable), but runtime behavior allows executed Python code to access the agent's environment and filesystem. config.json lists allowed_imports including 'os' and 'pathlib' and allows network in execution config, yet blocked_imports are strings rather than enforced rules. Because index.js executes Python directly (without enforcing blocked patterns or a sandbox), the skill can inadvertently expose environment variables or local files to executed code. The skill's own metadata does not request credentials, but runtime code could access any env var present — this is disproportionate unless the environment is trusted and isolated.
Persistence & Privilege
always:false and no special OS restrictions. The skill does create ./python-use-results and writes temp files there, but it does not attempt to modify other skills or system-wide agent settings. It does not request persistent elevated privileges in its metadata.
What to consider before installing
This skill implements what it claims (AI-driven Python execution) but there is a meaningful implementation mismatch: config.json and executor.py describe sandboxing and safety checks, yet index.js directly writes a temp .py file and runs it with child_process.exec without applying those checks or honoring sandbox settings. That allows arbitrary Python to run with whatever environment and filesystem access the agent process has. Before installing or using the skill, consider: 1) Do not pass secrets or sensitive file paths as 'context' or task text — executed code could read environment variables and files. 2) Prefer running this skill only in an isolated environment (container or VM) or with network/file-system access disabled. 3) Ask the author/maintainer whether index.js should call the Python executor (which would apply safety checks) or whether sandbox enforcement will be added; request explicit runtime enforcement of blocked imports/patterns and network/file-system restrictions. 4) If you must use it in a sensitive environment, review and modify index.js to enforce config.json security settings or route execution through a verified sandbox. If you cannot get these assurances, treat the skill as risky and avoid supplying any credentials or private data to it.
executor.py:144
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk973cnvdthpk19gxxmvs2a2mm985128z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments