skill-isolator
WarnAudited by ClawScan on May 18, 2026.
Overview
The skill’s purpose is coherent, but it can automatically install/change skills from project files and contains an unsafe shell-command path that could run unintended commands.
Use this only with trusted project repositories. Before running sync, inspect .openclaw-skills.json, avoid floating latest versions where possible, and do not enable automatic syncing until the shell-command injection risk and approval flow are fixed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised project configuration could cause the sync command to execute unintended shell commands with the user's permissions.
Skill names and versions are read from the project .openclaw-skills.json and interpolated into a shell command without strict validation or argument escaping.
const skillName = typeof skillSpec === 'string' ? skillSpec : skillSpec.name; ... const cmd = `clawhub install ${skillName}${versionSpec}${forceFlag}`; execSync(cmd, {Use spawn/execFile with argument arrays, add strict skill-name/version validation, and avoid running sync on untrusted project configs until fixed.
Opening or syncing a project can change the installed/active skill set and therefore the agent's behavior, potentially based on repository-controlled files.
The skill instructs automatic detection and installation of missing skills when entering a project, using configuration from the project directory.
**⚡ 自动同步** | 进入项目时自动检测并安装缺失技能 ... `autoSync.onProjectEnter` ... 默认 true ... `autoSync.onSkillMissing` ... 默认 true
Require explicit user confirmation before installing or activating skills, show the exact source/version to be installed, and default auto-sync off for untrusted projects.
Users may believe project skills are fully isolated when global or previously installed skills may still influence the agent.
The artifacts make strong isolation/automatic switching claims, but the provided runnable script primarily checks and installs skills globally and does not show enforcement of activation/deactivation or excludeGlobal isolation.
**🔒 项目隔离** | 每个项目独立技能配置,切换项目自动切换技能
Document the actual isolation boundary clearly and implement or require a runtime mechanism that enforces activation/deactivation before advertising complete project isolation.
Project configs can steer skill sourcing and updates, so untrusted configs or floating latest versions may introduce unexpected skills.
Remote/local skill sources and latest-version installs are central to the stated purpose, but they expand the trust boundary for what instructions/tools may be added to the agent.
**🌐 多源支持** | clawhub / local / git / url ... **📦 版本控制** | 支持锁定特定版本或 `latest` 自动更新
Use trusted sources, pin versions for important projects, and review .openclaw-skills.json before syncing.