Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
OpenClaw Mobile Pair
v0.1.1一键生成 OpenClaw 手机控制中心连接码(自动读取本机 gateway token)
⭐ 0· 229·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description say the skill will auto-read a local 'gateway token' and generate a mobile pairing code. However, the package contains no script or declared config paths/env vars to perform that action. Requesting access to a local gateway token is plausible for the stated purpose, but the skill does not justify or declare how it will obtain that secret.
Instruction Scope
Runtime instructions tell the agent to run scripts/generate-mobile-pairing.ps1 with 'ExecutionPolicy Bypass' — a potentially sensitive operation that may read local files or secrets. The referenced script is not included in the skill, so it's unclear what will run or what data it reads/transmits. The instructions give the agent broad permission to execute an external PowerShell script which could access or exfiltrate tokens.
Install Mechanism
There is no install spec and no included code besides SKILL.md and VERSION.txt, which is low risk in itself. Note: the skill nevertheless expects an external script to exist at runtime, which is not provided; that runtime dependency increases practical risk even without an installer.
Credentials
The description implies access to sensitive local credentials (gateway token) but the skill does not declare required env vars or config paths. Requiring an undisclosed local secret is disproportionate and unexplained. The use of PowerShell with ExecutionPolicy Bypass further raises the potential for elevated access to local state.
Persistence & Privilege
The skill is not marked always:true and does not request persistent installation or modification of other skills/settings. It appears not to request elevated platform privileges by itself.
What to consider before installing
Do not run or enable this skill yet. Ask the publisher for the missing scripts/generate-mobile-pairing.ps1 and a clear explanation of what it reads and what endpoints (if any) it talks to. Before installing, require: (1) the full script source for review, (2) a declaration of which local files or environment variables it needs (and why), and (3) assurance it does not upload tokens to external servers. Avoid running with PowerShell ExecutionPolicy Bypass unless you (or your security team) have audited the script in a safe sandbox. If the publisher cannot provide source or a trustworthy homepage, treat the skill as unsafe.Like a lobster shell, security has layers — review code before you run it.
latestvk979v201chm1btxrkhg2fbm8k582t0f1mobilevk979v201chm1btxrkhg2fbm8k582t0f1openclawvk979v201chm1btxrkhg2fbm8k582t0f1pairingvk979v201chm1btxrkhg2fbm8k582t0f1
License
MIT-0
Free to use, modify, and redistribute. No attribution required.