ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Remote Skill Engine

v1.0.0

Cache and use skills from ClawHub and GitHub as if locally installed. Stores remote skills in local cache folder for offline use.

2· 525·2 current·2 all-time
byom yarewara@oki3505f
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description match its behavior: it fetches SKILL.md and related files, caches them, and symlinks them into the local skills folder so they behave like installed skills. However, the implementation calls external CLIs (clawhub, gh, date, python3) and expects a skills/ layout that aren't declared in the metadata; several workflows reference additional scripts (update-cached-skills.sh, sync-skill.sh, cache-stats.sh, etc.) that are mentioned in SKILL.md but are not present in the file manifest.
!
Instruction Scope
The runtime instructions and included scripts instruct the agent (or a user) to fetch arbitrary SKILL.md and scripts from remote repos and store them locally, set executables, and symlink them into the agent's skills directory. That expands the agent's attack surface by allowing unvetted remote code to become local skills. execute-remote-skill.py prints SKILL.md and encourages executing commands from the downloaded skill; cache-skill.py sets downloaded scripts to 0o755, enabling execution. SKILL.md also suggests auto-syncing and auto-executing workflows which could cause repeated unverified downloads/updates.
!
Install Mechanism
There is no install spec, but multiple provided scripts download raw files from constructed URLs (raw.githubusercontent.com and guessed ClawHub patterns). The download functions intentionally disable TLS verification (ssl.CERT_NONE, check_hostname=False) in multiple scripts, which is a high-risk practice because it permits man-in-the-middle injection of arbitrary content. The skill writes fetched files to disk and marks scripts executable, so a network attacker or a malicious upstream repo could deliver executable code.
!
Credentials
The registry metadata declares no required environment variables or credentials, but the scripts call the 'gh' and 'clawhub' CLIs and may rely on GitHub tokens or CLI configuration for richer searches; these CLIs and any tokens are not declared. The skill does network I/O to arbitrary URLs and caches content locally; although it doesn't explicitly request secrets, the lack of declared auth coupled with disabled SSL verification increases the risk that credentials (if used elsewhere) or other sensitive data could be exposed via MITM or by inadvertently caching a skill that exfiltrates data when later executed.
!
Persistence & Privilege
The skill creates persistent files and a symlink into the agent's skills directory (~/.openclaw/workspace/skills), installing remote code into the agent's runtime area. While not set to always:true, this ability to add or replace skills persistently means it can expand the agent's capabilities by introducing unvetted code. The skill modifies the agent's skills directory (a cross-skill config area), which is a higher-privilege action than merely storing its own config.
Scan Findings in Context
[disable_ssl_verification] unexpected: Multiple scripts (cache-skill.py, fetch-skill.py, execute-remote-skill.py) create an SSL context with check_hostname=False and verify_mode=ssl.CERT_NONE. There is no benign justification here — disabling TLS verification makes downloads trivially vulnerable to MITM and should be considered a major risk.
[downloads_and_writes_remote_code] expected: The skill's purpose is to cache remote skills, so downloading SKILL.md and scripts is expected. However, the scripts also mark downloaded files executable and symlink them into the runtime skills folder, which elevates the risk because remote content becomes executable local code.
[uses_undeclared_binaries] unexpected: The code invokes external CLIs (clawhub, gh, date, python3) but the skill metadata declares none. This mismatch means required capabilities are not surfaced to the user and could cause runtime failures or unintended behavior.
[missing_referenced_scripts] unexpected: SKILL.md and some scripts reference management scripts (update-cached-skills.sh, check-updates.sh, sync-skill.sh, cache-stats.sh, uncache-skill.sh) that do not exist in the manifest. This indicates the documentation and provided code are out of sync.
What to consider before installing
This skill implements exactly what it advertises — caching remote skills — but it does so in a risky way. Things to consider before installing: - The scripts disable TLS certificate verification when downloading remote files. That allows man-in-the-middle attackers to substitute malicious code. Do not run these scripts in production or on machines with sensitive data unless you fix the SSL behavior. - The tool downloads arbitrary scripts and marks them executable, then symlinks them into your agent's skills folder. That means untrusted upstream code can become a locally runnable skill. Only cache skills from repositories and authors you trust; inspect SKILL.md and any scripts before caching. - The skill calls external CLIs (clawhub, gh, date, python3) that are not declared in the metadata. Ensure those tools exist and you understand what credentials they use (e.g., GH tokens) before running. - The documentation references management scripts that are missing from the package; expect incomplete features. Recommended mitigations: - Do not run this on a host with sensitive credentials or production data. Run it in a disposable sandbox or container. - Patch the code to re-enable TLS verification (remove ssl.CERT_NONE usage) and consider verifying content integrity (checksums or git commit IDs) before making files executable. - Manually review remote SKILL.md and any downloaded scripts before caching; prefer using signed releases or pinned git SHAs rather than guessed raw URLs. - If you need this functionality, restrict auto-sync and remove any auto-execution behaviors; require explicit manual approval for each cached update. If you want, I can produce a patched version of the download functions that enforce TLS verification and add safety checks (e.g., prompt for approval, validate file types, compute & verify checksums) or a checklist for safely using this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk979hc19kpk207xbvk1dyavyf581q467

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments