Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw 文档知识库 / OpenClaw Knowledge Base
v1.0.2OpenClaw 文档知识库 - 搜索与同步 / OpenClaw Documentation Knowledge Base - Search & Sync
⭐ 1· 76·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (knowledge base search & sync) matches the included scripts: sync.js fetches docs.openclaw.ai and saves markdown to a local docs/ directory; index.js builds a local JSON index used by search.js. Files and behaviors are proportionate to the stated purpose.
Instruction Scope
SKILL.md only instructs running the bundled node scripts (search and sync). The sync fetches remote markdown and writes it to a local docs/ directory and manifest; the indexer reads those files. This is expected, but the skill explicitly strips <AgentInstructions> tags from fetched pages — which indicates it anticipates remote documents may contain embedded agent instructions or injection vectors. Combined with the scanner flags, this is notable: the skill can ingest arbitrary remote text that may be used later as AI input, so verify source trustworthiness and/or sanitize fetched content before using results in an LLM.
Install Mechanism
No install spec is present (instruction-only install). The package is shipped as files in the skill bundle and requires node >=18. No external downloads or installers are executed during install, which minimizes supply-chain risk.
Credentials
The skill requests no environment variables or credentials and uses no external API keys. It only reads/writes local files (docs/, vault-index.json, .scrape-manifest.json) and performs HTTP GETs to docs.openclaw.ai (BASE_URL). The requested permissions are proportional to a documentation sync/indexer.
Persistence & Privilege
always is false and the skill does not modify other skills or global agent configuration. It persists scraped documents and a manifest under the skill's repo path (docs/ and .scrape-manifest.json), which is expected but means it will write to disk in the current workspace.
Scan Findings in Context
[system-prompt-override] unexpected: The pre-scan detected patterns that look like attempts to override system prompts. That is not expected for a documentation indexer. The code does remove <AgentInstructions> blocks from fetched docs, suggesting the author is aware of potential embedded agent instructions in source content — nevertheless, presence of prompt-override patterns in SKILL.md or bundled content warrants manual review.
[unicode-control-chars] unexpected: Unicode control characters can be used to obfuscate malicious instructions or hide payloads inside text. A docs fetcher/indexer might encounter such characters in remote content, but their detection in the skill bundle is unexpected and should be inspected (look for invisible characters in SKILL.md and any fetched .md files).
What to consider before installing
This skill is largely coherent with its stated purpose, but take these precautions before installing: 1) Only use it if you trust https://docs.openclaw.ai — the sync fetches and stores remote markdown and that content may later be fed to an LLM. 2) Inspect the docs/ directory and .scrape-manifest.json after a sync; search for <AgentInstructions> or suspicious invisible characters. 3) Run the sync in a sandboxed environment (not on a machine with sensitive files or keys) to avoid accidental contamination of your workspace. 4) If you plan to feed search results to an AI, either sanitize the content programmatically or manually review examples to ensure no prompt-injection payloads are present. 5) If you need higher assurance, request the upstream source code or an author explanation about why prompt-injection patterns appear in the bundle.scripts/sync.js:77
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97bzcwy9trrpe0ptfhh60rea984n5na
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📚 Clawdis
OSmacOS · Linux · Windows