ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weclaw Installer

v1.0.0

Automate installing and configuring the WeClaw WeChat bot environment on macOS. Use when the user asks to download/install WeClaw, set up a local Python envi...

0· 91·0 current·0 all-time
byHang Yin@popilopi168

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for popilopi168/weclaw-installer.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Weclaw Installer" (popilopi168/weclaw-installer) from ClawHub.
Skill page: https://clawhub.ai/popilopi168/weclaw-installer
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: git, uv, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install weclaw-installer

ClawHub CLI

Package manager switcher

npx clawhub@latest install weclaw-installer
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (WeClaw installer) matches the declared requirements (git, uv, python3) and the tasks (clone repo, run installer). However the skill package does not include the actual installer implementation (setup_package.py is referenced but absent), so the package cannot be verified as self-contained.
!
Instruction Scope
SKILL.md explicitly instructs the agent to clone an external GitHub repository and run a Python entrypoint that imports setup_package.setup_openclaw_package. The included wrapper (scripts/run_setup.py) will execute code from that external repo. The instructions also request an API key interactively. Downloading and executing code from an external, unreviewed repo and passing a user-provided API key to it is outside what can be validated from this skill bundle alone.
!
Install Mechanism
There is no formal install spec in the skill; instead the runtime instructions require cloning an external GitHub repository (https://github.com/Popilopi168/weclaw-package-upload-test) and executing Python code from it. Running arbitrary code fetched at runtime is higher risk because the executed module (setup_package.py) is not present in the published files for review.
Credentials
The skill declares no required environment variables but its runtime instructions tell the agent to ask the user for an API key (and pass it to the external setup). Asking for a single API key is reasonable for an installer, but the skill metadata does not declare this requirement and the behavior of code that receives the key (setup_package) cannot be audited here.
Persistence & Privilege
always is false and there is no install that persists or modifies other skills/system configs in the provided files. However, because the skill instructs execution of external code, autonomous invocation by the agent (default) would increase risk if the external code is malicious.
What to consider before installing
This skill instructs cloning and running code from an external GitHub repository while the core installer (setup_package.py) is not included in the skill bundle — that makes it impossible to audit what the installer will do. Before installing or running this skill: (1) Inspect the external GitHub repo yourself (especially setup_package.py) and confirm you trust its maintainer. (2) Do not paste your real API key until you understand how it will be used or stored; consider using a test key. (3) Run the installer in an isolated environment (VM/container) or on a throwaway account. (4) Ask the skill author to publish the missing setup_package.py (or include full installer code) and to declare the exact purpose of the API key. If you cannot review the external repository, do not run the skill.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

OSmacOS
Binsgit, uv, python3
latestvk974hw4a69bv49p34yahbssee983xd7h
91downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
macOS
Hang Yin@popilopi168
latest
Download

Source repository

The installer clones this repo into a local folder named weclaw-package-upload-test:

ClawHub

  • Slug: weclaw-installer

Why Path must be a folder: The ClawHub CLI resolves paths as resolve(workdir, <path>). If your current directory has no .clawhub marker, workdir defaults to your OpenClaw workspace (not this repo), so skills/weclaw-installer points nowhere.

This repo includes a .clawhub/ folder so that when your shell cd is the repo root, workdir stays the repo.

Publish (from repo root, recommended):

clawhub publish skills/weclaw-installer --version 1.0.0 --slug weclaw-installer

If you still see the error (e.g. CLAWHUB_WORKDIR overrides), use an explicit workdir or an absolute path:

clawhub --workdir "$(pwd)" publish skills/weclaw-installer --version 1.0.0 --slug weclaw-installer
# or
clawhub publish /absolute/path/to/weclaw-installer-plugin/skills/weclaw-installer --version 1.0.0 --slug weclaw-installer

When to use

Use this skill when the user wants to:

  • Install / download / bootstrap the WeClaw project locally
  • Set up Python dependencies with uv
  • Configure an API key / .env
  • Fix common macOS setup blockers (especially Accessibility permission)

Workflow

  1. Ensure prerequisites are available: git, uv, python3.
  2. If macOS Accessibility permission is not enabled, open the System Settings page and instruct the user to enable it for the terminal/app running the automation.
  3. Ask the user for the required API key if it is not already provided.
  4. Run the setup entrypoint to perform the automated steps.

Entrypoint (wrapper script)

Run:

  • python3 scripts/run_setup.py

To pass the API key non-interactively:

  • python3 scripts/run_setup.py --api-key "<KEY>"

After the user has enabled macOS Accessibility permission:

  • python3 scripts/run_setup.py --api-key "<KEY>" --mac-permission-confirmed

Safety / guardrails

  • Do not request or store unrelated secrets.
  • Only write .env / config values that are explicitly required for WeClaw setup.
  • If a step fails, surface the exact error output and suggest the smallest next fix.

Comments

Loading comments...