Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw A2UI
v1.0.2为 OpenClaw webchat 回复增加个性化富 UI 展示,基于 HTML 直出渲染。 【默认启用】凡是结构化内容(列表、数据、步骤、表格、摘要、状态、代码等)一律用 HTML 卡片回复。 纯文字聊天(简单问答、闲聊)不强制套卡片。 当用户要求安装/迁移 openclaw-a2ui、启用 HTML 渲染、...
⭐ 0· 153·0 current·0 all-time
by@suuuy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (HTML-rich card rendering for OpenClaw webchat) align with the provided code and configs: ui-config.json expands DOMPurify/markdown rules, skill-ui-bridge.js patches client behavior to detect and render <div class="a2ui"> cards, and the plugin scripts inject the bootstrap into control-ui. Files and behaviors are coherent with the stated feature.
Instruction Scope
SKILL.md instructs the agent to emit HTML cards and documents the installation steps; it does not ask the agent to read unrelated system files or secrets at runtime. The runtime JS runs in the browser to transform chat DOM elements—this is consistent with the skill's UI purpose.
Install Mechanism
Installation is local (no remote downloads) but the plugin injects a static JS into control-ui/index.html and writes a skill-ui-init.js into the control-ui static directory. Modifying index.html and adding same-origin script is a high-impact operation (runs arbitrary JS in every client's browser). The install script copies plugin files into extensions and edits openclaw.json — this is necessary for the plugin approach but is a privileged change that should be reviewed and backed up.
Credentials
The skill declares no environment variables, which is appropriate. However, the client bootstrap (skill-ui-bridge.js) reads location.hash and localStorage keys (openclaw.device.auth.v1 and openclaw.control.settings.v1) to build an Authorization header when fetching /plugins/skill-ui/manifest. The server-side manifest handler is registered with Access-Control-Allow-Origin: "*" (CORS wildcard). While the code does not transmit tokens to third-party servers, reading browser-stored tokens and exposing a manifest endpoint with permissive CORS raise privacy/attack-surface concerns you should consider.
Persistence & Privilege
The plugin requires persistent, system-level changes: copying files into the OpenClaw extensions directory, registering the plugin in openclaw.json, and injecting a script into control-ui/index.html that will execute in all client browsers. always:false mitigates forced global enablement, but the installation grants broad privilege (arbitrary JS execution in UI) — review and backup steps are recommended.
What to consider before installing
What to consider before installing:
- This skill intentionally modifies server-side files: it copies a plugin into your OpenClaw extensions folder, edits openclaw.json, and injects a script into control-ui/index.html. Those changes will run code in every user's browser and should be reviewed and backed up before installation.
- The injected client script reads certain localStorage keys and location.hash to build an Authorization header for an internal manifest fetch; it does not send those tokens to external servers in the provided code, but any script injected into index.html can be a powerful vector—ensure you trust the author and review the injected JS line-by-line.
- The manifest HTTP handler sets CORS to '*'. That makes UI config manifests retrievable cross-origin; assess whether your ui-config.json files contain any sensitive information (e.g., external URLs or CSS that could leak internal data).
- Recommended actions: (1) review assets/skill-ui-bridge-plugin.js and assets/skill-ui-bridge.js fully, (2) run the install in a staging instance first, (3) back up control-ui/index.html (the install script creates an .orig but confirm), (4) consider restricting CORS or adding auth checks in the manifest handler if you operate in a sensitive environment, and (5) if you are not comfortable with server-side file changes or broad client-side JS injection, do not install.assets/skill-ui-bridge-plugin.js:83
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk974eehs7s2a6m778maftp733h834bcr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.