ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Adversarial Engine

v2.0.1

多模型对抗引擎 - 四模型真实对抗辩论系统。架构师+工程师+安全官+仲裁者协作,代码沙箱验证,向量检索增强,收敛判断自动熔断。

0· 68·0 current·0 all-time
by@timo2026
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md overall align with the stated purpose (multi‑model adversarial debate, code sandbox, vector retrieval, WebSocket push). However the implementation references specific local paths under /home/admin/.openclaw/workspace, embeds a DEFAULT_API_KEY in source, and points to an external BASE_URL — these are not documented in SKILL.md and are unexpected for a drop‑in skill.
!
Instruction Scope
SKILL.md describes code sandboxing and WebSocket APIs (coherent) but does not call out the runtime's ability to write temporary files, spawn subprocesses that run arbitrary Python code, read a local knowledge base, or persist results to a local DB. The server/WebSocket endpoints and an example host/port in the README are inconsistent with the server defaults in code. The instructions give the agent permission to generate and execute code but provide no runtime safety constraints.
Install Mechanism
There is no install spec that downloads or executes remote archives; all code is provided in the bundle. No package manager downloads or external installers are used — this reduces supply‑chain risk compared to URL downloads.
!
Credentials
The skill requests no declared env vars, but both async_engine.py and engine.py hardcode DEFAULT_API_KEY and BASE_URL. The code also attempts to use a local api_key_manager if present (sys.path insertion into /home/admin/.openclaw/workspace/multi_agent_engine). The combination of a hardcoded key, optional key router integration, and no explicit key management is disproportionate and risky. The code also reads/writes under /home/admin/.openclaw (KB and DB), which grants access to local data not mentioned in SKILL.md.
Persistence & Privilege
always:false (good). The skill creates a local SQLite DB and references persistent workspace paths; it can run an HTTP/WebSocket server and spawn background tasks. It does not declare 'always:true' or request to modify other skills, but it can leave persistent state under the workspace and open network endpoints if started.
Scan Findings in Context
[hardcoded-api-key] unexpected: Both engine.py and async_engine.py contain DEFAULT_API_KEY = "sk-sp-2b89d1b9a55d4cb9a8094c9127459aab" and a BASE_URL. Hardcoding an API key in source is insecure and not justified by SKILL.md; it may be a real credential or a placeholder that could leak billing access or allow exfiltration.
[subprocess-exec-python] expected: The code executes generated Python via subprocess.run (temp file + 'python3'), which is expected because the skill advertises a code sandbox. However that sandbox is a plain subprocess execution in /tmp with no containerization, restricted interpreter, or I/O/network restrictions — so while expected for the declared feature, it is a high‑risk operation and should be treated as untrusted code execution.
What to consider before installing
Key points before installing or running: - Do not run this on a machine containing sensitive data: the engine will read/write under /home/admin/.openclaw/workspace (KB and DB) and will execute arbitrary Python code via subprocess with full access to the host filesystem and network. - Treat the DEFAULT_API_KEY in the code as a secret leak or invalid placeholder: remove it and configure proper key management (use a secure key router or environment variables), and verify the external BASE_URL endpoint before allowing network access. - The claimed 'sandbox' is not a true sandbox: generated code runs with the system Python and can perform I/O, open sockets, or read environment variables. If you need to test, run the skill inside an isolated VM or container with strict filesystem and network restrictions. - The server exposes HTTP/WebSocket endpoints; confirm the port and host settings and restrict access (bind to localhost or firewall) before starting. - Verify and/or remove any sys.path insertions that reference shared workspace locations to avoid unintentional access to other skills or credentials. - If you must use this code, audit and/or modify the CodeSandbox.run_safely method to enforce stricter isolation (e.g., containerized execution, resource limits, network disabled), and replace hardcoded credentials with explicit, documented key configuration. - When in doubt, do not run this skill in production or on an administrator workstation. Run in an ephemeral, sandboxed environment and review network traffic and keys after testing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9796mc212zh4ssh52hqqjdsc9842yjx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments