ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Runner

v1.0.0

Enables secure execution of specified OpenClaw skills via cron jobs by forwarding agentTurn messages and passing the necessary context.

0· 111·1 current·1 all-time
by@xpneuma

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for xpneuma/skill-runner.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Runner" (xpneuma/skill-runner) from ClawHub.
Skill page: https://clawhub.ai/xpneuma/skill-runner
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-runner

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-runner
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's goal (invoke another skill's exported skill() function with the same context) is consistent with its name and description, but the implementation uses a hard-coded absolute path (/home/bosunjung/.openclaw/workspace/skills) and will attempt to import arbitrary files. The hard-coded username path is unexpected and likely incorrect for most installations. Allowing arbitrary skill names to resolve to filesystem paths is broader than the description implies.
!
Instruction Scope
SKILL.md promises a 'secure' proxy that passes a context object to a target skill. The code indeed forwards the full context to the imported skill, but there is no validation, allowlist, or sanitization of the requested skill name. This enables directory traversal (e.g., '../') and arbitrary local module execution, and it grants the target skill the same tools/privileges the runner has — behavior that is potentially dangerous and not mitigated by the instructions.
Install Mechanism
No install spec and no external downloads are present; the skill is instruction/code-only. That minimizes supply-chain install risk. The included index.js should still be reviewed and audited before use.
Credentials
The skill declares no environment variables or credentials (which is proportionate). However, it accesses the host filesystem at an absolute path and dynamically imports local modules; filesystem access is implicit and broad. The hard-coded path is suspicious and may expose unintended files if the runtime user has wide filesystem permissions.
Persistence & Privilege
always is false and the skill doesn't request special platform privileges. However, because it can be invoked (cron payloads or other agentTurn messages) to execute arbitrary local code and passes its own context into that code, it effectively widens the blast radius of any skill that can be invoked through it. That makes message-source validation and allowlisting important.
What to consider before installing
This skill can run other local skills by importing their index.js and passing them the runner's full context. Before installing, consider: 1) The code hard-codes /home/bosunjung/... — confirm that path is correct for your environment or request that the author make the base path configurable. 2) The message payload ("run <skill-name>") is not sanitized or allowlisted — an attacker who can send cron payloads or agentTurn messages could request 'run ../../some/path' and cause arbitrary local file execution. Require an allowlist of permitted skill names or validate against a strict pattern (e.g., /^[a-z0-9_-]+$/). 3) The runner forwards its full context (tools, sessions) to the invoked skill — limit the context or use capability-scoped proxies so untrusted skills can't access more than they need. 4) Run this skill as a least-privileged user and ensure the runtime cannot read sensitive files from the filesystem; avoid running as root. 5) Ask the author to remove the hard-coded username path, add input sanitization, implement an allowlist, and document exactly which capabilities are passed to invoked skills. If you cannot confirm these changes, consider this skill risky and avoid installing it on production or multi-tenant systems.

Like a lobster shell, security has layers — review code before you run it.

latestvk979fgmphphqd92hnrsr4ydvwn838wph
111downloads
0stars
1versions
Updated 1mo ago
v1.0.0
MIT-0
@xpneuma
latest
Download

Skill Runner

Purpose

This skill acts as an intermediary to run other OpenClaw skills via cron jobs or indirect calls. It provides a secure way to execute a specific skill function within the OpenClaw runtime, ensuring the skill receives the necessary context object (including access to tools and sessions).

How it works

  1. Receives an agentTurn message (e.g., from a cron job).
  2. The message content specifies which target skill to run (e.g., run memory-enhancer).
  3. Dynamically imports and executes the skill function from the target skill's index.js file.
  4. Passes its own context object to the target skill, allowing the target skill to use OpenClaw's tools (like sessions_spawn).

Configuration

  • Runs as a dedicated isolated agent.
  • Uses the default model configured for agents.
  • Expected message format: run <skill-name>

Invocation

Primarily invoked via OpenClaw's cron jobs (cron add with payload.kind="agentTurn" targeting this skill).

Example Cron Job Payload

{
  "kind": "agentTurn",
  "message": "run memory-enhancer",
  "model": "google/gemini-2.5-flash",
  "sessionTarget": "isolated"
}

Comments

Loading comments...