Qclaw Env
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This environment installer is mostly purpose-aligned, but it includes an unguarded macOS command that could delete the entire Homebrew installation.
Install only if you want an agent to manage your command-line environment. Review each command before execution, especially any `rm -rf /opt/homebrew`, remote script pipelines such as `curl | bash` or `irm | iex`, sudo/admin steps, shell profile edits, and API key configuration.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following the manual could remove Homebrew and all Homebrew-installed tools on an Apple Silicon Mac, breaking the user’s development environment.
The provided static scan reports this destructive delete command appears in the macOS manual without an explicit confirmation gate. It can delete the entire Homebrew installation rather than a single target tool.
rm -rf /opt/homebrew # Apple Silicon
Do not allow this command to run automatically. Require explicit user confirmation, explain the impact, verify the exact path, and prefer official uninstall or repair steps.
If the remote installer or mirror is compromised or changes unexpectedly, the installation step could run unintended code.
The guide executes an unpinned remote PowerShell installer from a mirror. This is common for package-manager bootstrap, but it trusts the remote source at run time.
irm https://gitee.com/glsnames/scoop-installer/raw/master/bin/install.ps1 | iex
Prefer official sources when possible, review installer scripts, and verify checksums or signatures before running remote script pipelines.
Exposed or overly broad API keys could allow account use, data access, or unexpected charges.
The skill may guide users to configure provider API keys as environment variables. That is purpose-aligned for CLI setup, but those keys can grant account access.
配置 API Key、环境变量、PATH ... 第 4 层 环境变量 OPENAI_API_KEY / GEMINI_API_KEY / ...
Only configure keys for services you intend to use, use least-privilege and revocable keys, avoid pasting secrets into logs or chat, and rotate keys if exposed.
Future shells and installs may continue using modified PATH, mirror, proxy, or registry settings even after the immediate task is complete.
The manual persists shell and package-manager configuration changes that will affect future terminal sessions and future package installs.
cat >> ~/.zshrc ... export HOMEBREW_BREW_GIT_REMOTE=...; echo 'eval "$(/opt/homebrew/bin/brew shellenv)"' >> ~/.zprofile
Tell the user exactly which profile/config files were changed and provide simple rollback commands.