ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Vetting V2

v2.0.1

Vet ClawHub skills for security and utility before installation. Use when considering installing a ClawHub skill, evaluating third-party code, or assessing w...

0· 146·0 current·0 all-time
by@stavc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's stated purpose is to vet ClawHub skills and it includes a scanner (scripts/scan.py) and extensive guidance—this matches the basic claim. However ARCHITECTURE.md and SKILL.md describe a mediated review pipeline (mediate.py), multi-model consensus agents, and an orchestration layer that are not included in the file manifest. That mismatch (claimed features absent from the package) is an incoherence that could be benign (incomplete packaging) or misleading.
Instruction Scope
Runtime instructions in SKILL.md stay within the vetting domain: download skill archives to /tmp, run the included scanner, and perform manual review. The guidance explicitly warns about prompt injection and instructs not to obey in-file instructions, which is consistent and scoped. It does reference running the scanner from a presumed installed path (~/.openclaw/...), which is a minor path assumption but not malicious.
Install Mechanism
No install spec is provided (instruction-only plus included scripts). That is low risk. The only network operation suggested is curl from clawhub.ai to fetch the skill archive, which is expected for this purpose. No downloads from untrusted or shortener URLs are present.
Credentials
The skill requests no environment variables or credentials. The scanner actively flags environment access patterns in scanned skills, which is appropriate for a vetting tool. There is no disproportionate credential request.
Persistence & Privilege
The skill does not request persistent or elevated presence (always: false, no install actions). It contains no code that modifies other skills or global agent settings. Running the provided scanner locally is normal, but you should run it in a sandboxed environment as the guidance recommends.
Scan Findings in Context
[scanner_detects_eval_exec_pattern] expected: scripts/scan.py contains regex patterns to detect eval()/exec() and other dangerous constructs. This is expected behavior for a security scanner.
[scanner_detects_prompt_injection_patterns] expected: The scanner includes explicit rules for social-engineering/prompt-injection (e.g., flags referencing 'AI', 'agent', 'ignore warnings'). That's appropriate for a tool intended to detect prompt injection.
[package_missing_mediator_and_orchestrator] unexpected: ARCHITECTURE.md describes mediator scripts (scripts/mediate.py), a meta-detection agent, and multi-model consensus components, but those scripts are not present in the provided file manifest. The documentation claims features that are not delivered in this package.
[path_assumption_in_SKILL_md] unexpected: SKILL.md suggests running the scanner from ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py while the repository provides scripts/scan.py relative to the package—this is a minor inconsistency in expected installed locations and should be verified before running.
What to consider before installing
This package contains a sensible scanner and very detailed vetting guidance, but the docs promise a mediated multi-agent pipeline that isn't included. Before running anything: (1) Inspect scripts/scan.py locally (it is the primary executable here). (2) Run scans only in an isolated/sandbox environment (e.g., VM or container) and in /tmp as recommended. (3) Do not rely on ARCHITECTURE.md claims of mediate.py or consensus agents unless you obtain the missing components from a trusted source. (4) If you plan to automate use of this skill, ask the author for the missing mediator/orchestrator code or a canonical release; absence of those components reduces the tool's claimed defenses. (5) If you have low tolerance for ambiguity, treat this package as incomplete and avoid installing until the missing pieces are provided and reviewed.
scripts/scan.py:22
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dw6z3brmzdysqmkcnbxzbyh83xa98

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments