ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Security Vet

v2.0.0

技能安全審核 - 整合本地掃描 + VirusTotal 雲端威脅情報

0· 255·0 current·0 all-time
by@lanew197894fun-cmd

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lanew197894fun-cmd/skill-security-vet.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Skill Security Vet" (lanew197894fun-cmd/skill-security-vet) from ClawHub.
Skill page: https://clawhub.ai/lanew197894fun-cmd/skill-security-vet
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: bun
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-security-vet

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-security-vet
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim a skills security vet that integrates local scanning and VirusTotal — the code implements that for ~/.opencode/skill and VirusTotal lookups, which is coherent. However the vet.ts also implements a full local-disk scanner (scanLocalComputer) with support for scanning system drives and suspicious binary extensions; that broad disk scanning and file-level handling is not clearly advertised in SKILL.md examples, creating a capability mismatch.
!
Instruction Scope
The SKILL.md examples only show scanning installed skills and configuring a VirusTotal API key. The code supports additional modes (local, full) that traverse filesystem roots, examine many file types, compute hashes, call VirusTotal, and can quarantine or remove files. Those instructions/behaviour (disk-wide scanning, removing/quarantining files) are not clearly surfaced in SKILL.md, which grants the skill broad discretion over local files.
Install Mechanism
No external download/install steps; the skill is designed to run under bun and has no network install URL. There are no archive downloads or third-party package installs in the manifest.
!
Credentials
The skill requests no cloud credentials up-front and uses a user-provided VirusTotal API key configured via CLI (reasonable). However SKILL.md claims 'secure storage' of the API key while the code persists configuration as plain JSON under ~/.opencode/config (skill-vet.json / security-scan.json), which is not encrypted and may be readable by other local users. Also the skill reads HOME/USERPROFILE and will operate on system paths; this access is broader than the SKILL.md explicitly warns about.
!
Persistence & Privilege
The code defaults to enabling auto-scan/auto-quarantine behavior in places (loadConfig defaults autoScanOnStartup: true and autoQuarantine: true in startup-scan fallback), and includes functions that copy then rmSync files/directories (quarantine/ removal). While the skill is not marked always:true, these automatic removal/quarantine capabilities give it destructive privileges on the user's skill directory and, in full/local mode, potentially other files on disk. SKILL.md does not make these defaults explicit.
What to consider before installing
This skill can scan installed skills and query VirusTotal, which matches its description — but it also contains a full-disk scanning mode and can automatically quarantine or delete files. Before installing or running it: 1) Inspect the code yourself or run it in a sandbox or VM first. 2) Disable automatic actions (autoQuarantine/autoRemove/autoScanOnStartup) in the config before running scans. 3) Do not provide your VirusTotal API key until you confirm where it is stored (the code writes plain JSON to ~/.opencode/config). 4) Backup ~/.opencode/skill (and important data) so you can recover if the tool quarantines or removes files. 5) If you only want skill-level checks, run the tool with explicit arguments (e.g., scan for specific skills) and avoid 'local' or 'full' modes. If you are not comfortable reviewing the code or running it in an isolated environment, treat this skill as high-risk.
!
vet.ts:3
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binsbun
latestvk97e61r3n7301bnqgwecywx8sh8371e9
255downloads
0stars
2versions
Updated 1h ago
v2.0.0
MIT-0
@lanew197894fun-cmd
latest
Download

Skill Security Vet - 技能安全審核系統

整合本地安全掃描 + VirusTotal 雲端威脅情報,自動審核已安裝技能的安全性。

功能

  • 🔍 本地掃描 - 檢測危險函數和模式
  • ☁️ VirusTotal 掃描 - 雲端 70+ 防毒引擎比對
  • 📊 風險評級 - 高/中/低/資訊 四級分類
  • 🔑 API Key 管理 - 安全儲存 VirusTotal API Key

掃描項目

🔴 高風險 (本地)

  • eval(), new Function() - 動態程式碼執行
  • child_process.exec() - 系統命令執行
  • process.exit() - 強制終止進程
  • 敏感路徑存取 (/etc/passwd, ~/.ssh/, etc.)

☁️ VirusTotal 檢測

  • 70+ 防毒引擎掃描結果
  • 惡意軟體家族分類
  • 威脅評級分數

使用方式

首次設定 VirusTotal API Key

skill-security-vet config --api-key <YOUR_VT_API_KEY>

取得 VirusTotal API Key

  1. 前往 https://virustotal.com
  2. 註冊/登入帳號
  3. 進入 Profile → API Key
  4. 複製 API Key

掃描所有技能(含 VirusTotal)

skill-security-vet scan --vt

只做本地掃描

skill-security-vet scan

掃描特定技能

skill-security-vet scan github,slack --vt

只顯示高風險

skill-security-vet scan --severity=high --vt

輸出範例

🔍 技能安全審核系統 v2.0
📁 掃描目錄: ~/.opencode/skill
🎯 目標技能: 78 個
☁️ VirusTotal: 已啟用
──────────────────────────────────────────────────

✅ github - 安全
   ☁️ VT: 0/70 防毒引擎標記 (安全)
   
⚠️ unknown-skill - 警告
   🟡 [本地] 缺少 SKILL.md 描述文件
   ☁️ VT: 0/70 防毒引擎標記 (安全)

🔴 suspicious-skill - 危險
   🔴 [本地] 發現 eval() 動態程式碼執行
   ☁️ VT: 45/70 防毒引擎標記 ⚠️ 惡意!

──────────────────────────────────────────────────
📊 審核報告摘要
   總計: 78 個技能
   ✅ 安全: 75 個
   ⚠️ 警告: 2 個
   🔴 危險: 1 個
☁️ VirusTotal 掃描: 78 個
   ✅ 雲端安全: 77 個
   ⚠️ 雲端可疑: 0 個
   🔴 雲端惡意: 1 個

安全建議

等級說明建議
🔴 雙重危險本地+VT 都危險立即移除
🔴 本地危險本地掃描發現問題建議移除
⚠️ 雲端可疑VT 標記為可疑需要審核
✅ 安全全部通過正常使用

注意事項

  • VirusTotal 公開 API 限制:每分鐘 4 次請求
  • 免費 API Key 足夠日常使用
  • 建議定期執行安全掃描
  • 發現高風險請立即審核原始碼

Comments

Loading comments...