Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clash-verge-auto-switch
v1.0.0Use when the user wants Codex to speed test Clash Verge Rev or Mihomo proxies, auto-detect currently used Clash groups from the live controller, switch a sel...
⭐ 1· 69·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implementation: the scripts discover a local Mihomo/Clash controller (via explicit args, CLASH_API_* env vars, or local config files), call the controller API, run latency tests, and switch selector groups. No unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md and the scripts instruct the agent to read local Clash config files (~/.config/clash/config.yaml and ~/Library/Application Support/...), consult environment variables (CLASH_API_UNIX_SOCKET, CLASH_API_URL, CLASH_API_SECRET), call the controller via curl (HTTP or unix socket), and optionally launch the Clash app. These actions are within the stated purpose but are broad (they examine local config and may modify controller state by switching selectors).
Install Mechanism
There is no external download; install is a local zsh script that writes a user LaunchAgent plist under ~/Library/LaunchAgents and uses launchctl. This is a standard macOS user-level installation method and the script does not pull code from remote URLs.
Credentials
The skill does not declare required env vars but will read CLASH_API_UNIX_SOCKET, CLASH_API_URL, and CLASH_API_SECRET if present and will use any 'secret' from local configs as an Authorization header to the controller. While these env/config accesses are necessary for discovering and authenticating to a Clash controller, users should be aware the script will read local config files and environment variables and may send the secret value to the controller API.
Persistence & Privilege
The provided installer creates a user LaunchAgent that will run the bundled Python script at the chosen interval and write logs to ~/Library/Logs. The skill does not set always:true; installation is explicit via the install script, but installing grants the script periodic execution under the user account.
Assessment
This skill appears to do what it says: discover a local Clash controller, test proxies, switch selector groups, and optionally install a macOS LaunchAgent to run periodically. Before installing, review the included scripts (switch_fastest.py and install_launch_agent.sh). Key points to consider:
- The script will read local Clash config files (~/.config/clash/config.yaml and Clash Verge's config path) and will read CLASH_API_UNIX_SOCKET, CLASH_API_URL, and CLASH_API_SECRET environment variables if present. If a controller secret exists it will be used in an Authorization header to the controller API.
- The script uses curl to communicate with the controller and may change selector state (it performs switches). Use --dry-run first to verify behavior.
- The install script writes a LaunchAgent plist to ~/Library/LaunchAgents and runs the script at the chosen interval; inspect the generated plist and logs before enabling. Installation requires explicit user action; do not run the installer unless you trust the code and understand the schedule.
- If you are unsure, run the Python script manually with --list-groups and --dry-run, and verify it only talks to your intended controller. If you rely on a secret, rotate it if you suspect exposure. If you want to be extra cautious, run the code in a controlled account or inspect it line-by-line before permitting installation.Like a lobster shell, security has layers — review code before you run it.
latestvk975sy6dsxveea30b9jpxvghdh83kqmp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.