Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
VLAN Linux Client
v1.0.0管理 VLAN.CN Linux 客户端的安装、登录、组网连接、服务控制及网络诊断操作。
⭐ 1· 127·0 current·0 all-time
byshixianfang@sxf-oss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (manage VLAN.CN Linux client) align with the commands and features described (install, login, connect, service control, diagnostics). The SKILL.md contains only client-focused operations and references api.vlan.cn, which is consistent with the stated purpose.
Instruction Scope
The instructions tell users/agents to run a remote install script via `curl -kfsSL http://dl.vlan.cn/vlan2.0/linux/install.sh | sh`. This directs execution of arbitrary remote code and uses an HTTP URL (no HTTPS) and curl -k (which suppresses TLS checks for HTTPS). Aside from that, the rest of the instructions stay within the client's scope and do not request unrelated files or env vars.
Install Mechanism
There is no formal install spec; instead the skill recommends a download-and-pipe-to-shell pattern from dl.vlan.cn over plain HTTP and without integrity or signature verification. That pattern is high-risk: it allows arbitrary code execution, lacks transport integrity, and offers no provenance or reproducible packaging.
Credentials
The skill declares no required environment variables or credentials, which is proportionate. The usage examples include username/password or login codes entered interactively; the doc advises using short-lived login codes to avoid leaving passwords in shell history, which is appropriate. However, the install/uninstall steps imply writing files under system paths and may require sudo — this elevates privileges for the unsigned installer.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not attempt to modify other skills or agent-wide config in the SKILL.md. The installer may create system services and require sudo, which is expected for a system client but increases the impact of a malicious installer.
What to consider before installing
This skill appears to do what it claims (manage the VLAN.CN Linux client) but its install instruction is the main red flag: it asks you to run `curl … http://dl.vlan.cn/.../install.sh | sh` which downloads and executes code from an unverified HTTP endpoint. Before installing: 1) Do not run the pipe-to-sh command directly on production systems. 2) Prefer packages distributed over HTTPS with a checksum or GPG signature; verify the vendor's official website (https://www.vlan.cn) for verified install instructions and signatures. 3) Inspect the install script contents locally (download and read it) and run it in a disposable sandbox/container or VM first. 4) Avoid running installers as root unless you trust them; consider running with least privilege. 5) Use the recommended short-lived login codes instead of passwords to avoid credential leakage in shell history. 6) If you cannot verify the origin and integrity of dl.vlan.cn artifacts, treat installation as high-risk and consult your organization's security policy or the vendor for signed releases.Like a lobster shell, security has layers — review code before you run it.
latestvk975d2nnmwh4p6hma3b1vp1c95835w8z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.