ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

self-check

v1.0.0

系统自检工具。全面检查环境配置、文件完整性、权限、依赖、API token 等,并汇报问题给出修复建议(但不主动修复)。

0· 158·1 current·1 all-time
by@solarise94
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (system self‑check) aligns with required binaries (node, npm, nvm) and the script's behavior: checking Node/nvm, gateway, OpenClaw config, skills, and local workspace files. No unrelated credentials or cloud services are requested.
Instruction Scope
SKILL.md and the Python script instruct the agent to run local read/inspection commands (pgrep, ss, readlink, node/npm, python3 -c import ...), parse SKILL.md and config files, and list presence/absence of tokens (without printing values). This is appropriate for a system audit, but the tool does access many local files and runs shell commands — review results before acting on suggested fix commands.
Install Mechanism
No install spec; the skill is instruction+script only. There are no downloads or archive extraction steps and no external installers invoked by the skill, minimizing installation risk.
Credentials
The skill requests no environment variables or credentials. It reads local workspace/config files (e.g., openclaw.json, SKILL.md, agent files) to determine presence of API tokens and settings. This is proportional to a self‑check, but that access can reveal metadata about local tokens and configuration — verify that outputs don't leak secret values and run with appropriate privileges.
Persistence & Privilege
always is false; the skill is user‑invoked. The script declares it will not modify files or auto‑fix anything. It does not attempt to modify other skills or system settings.
Assessment
This skill appears internally consistent with its purpose: it inspects local OpenClaw workspace files, processes and installed runtimes and only prints findings and suggested commands. Before running: (1) review the script yourself (it's included) to confirm it prints but does not exfiltrate secret values; (2) run it from an account with least privilege needed (avoid running as root) to limit exposure; (3) inspect reported 'fix' commands before pasting them into a shell (they may include sudo/pip/npm operations); (4) because the package source is 'unknown', prefer running it in a test environment or container first if you have sensitive production data. If you want, I can point out exact lines in the script that read specific files/commands to make a more targeted risk review.

Like a lobster shell, security has layers — review code before you run it.

latestvk974sr9eb9bn3c0hmwfz02d719833xvr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis
Binsnode, npm, nvm

Comments