ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

安装 ob1 openblocklabs 完成验证步骤

v1.0.0

Install and authenticate OB1 (OpenBlock One), a multi-model terminal coding agent. Use when asked to install OB1, set up ob1, or when ob1 authentication/logi...

0· 243·0 current·0 all-time
byicdyct@txc-z

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for txc-z/ob1-install.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "安装 ob1 openblocklabs 完成验证步骤" (txc-z/ob1-install) from ClawHub.
Skill page: https://clawhub.ai/txc-z/ob1-install
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install ob1-install

ClawHub CLI

Package manager switcher

npx clawhub@latest install ob1-install
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (install and authenticate OB1) align with the instructions. The SKILL.md only covers download, install, device-code auth flow, and verification; there are no unrelated env vars, binaries, or config paths requested.
Instruction Scope
Instructions are scoped to installation and device-code authentication. They instruct the agent/operator to run the installer, keep the process alive for the device-code flow, and deliver the code to the user via chat — which is expected for this flow, but the guidance to transmit auth codes over chat is a potentially sensitive step and must only be done to the legitimate human user.
!
Install Mechanism
The SKILL.md tells the agent to run `curl -fsSL https://dashboard.openblocklabs.com/install | bash`. Piping a remote script directly to a shell executes arbitrary code from the network and is higher risk than an install from a vetted package repository. While the domain matches the product name, the installer content is not shown for review and the instruction will write binaries and tokens under ~/.ob1 and ~/.local/bin.
Credentials
No environment variables or external credentials are requested by the skill, which is proportionate. The installer and auth flow will store auth tokens and settings under ~/.ob1 (settings.json and saved tokens) — these are sensitive and should be protected. The skill does not request unrelated credentials.
Persistence & Privilege
The skill is instruction-only, not always-enabled, and does not request elevated platform privileges. It instructs installation of user-local files (~/.ob1, ~/.local/bin) which is normal for a CLI tool and does not modify other skills or system-wide agent configs.
What to consider before installing
This skill appears to do what it says, but proceed with caution: 1) The installer command pipes a remote script to bash — inspect the script before running (download it first and review its contents or verify a checksum) or ask the vendor for a package you can audit. 2) Run the installer in a controlled environment (non-root user, container, or VM) if you want to limit risk. 3) The device-code auth will save tokens under ~/.ob1; keep that directory secure and avoid sharing tokens. 4) When the skill asks you to "send the code via chat," only transmit the one-time device code to the intended human; do not paste it to public channels or unknown endpoints. 5) If you need higher assurance, request an official install method (package repo, signed release) or vendor-provided verification steps before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9755tprnz7g7hkbrc37eksfk182v0e7
243downloads
0stars
1versions
Updated 15h ago
v1.0.0
MIT-0
icdyct@txc-z
latest
Download

OB1 Install & Authentication

Install

curl -fsSL https://dashboard.openblocklabs.com/install | bash

Installs to ~/.ob1/bin/ob1, symlinks to ~/.local/bin/ob1.

Verify: ob1 --version

Authentication

OB1 uses device code flow. Run ob1 and it will display:

To sign in: https://auth.openblocklabs.com/device
Enter code: XXXX-XXXX

Headless/server workflow:

  1. Start ob1 with PTY: the auth URL and code appear in terminal
  2. Send the code to user (via chat) — they open the URL in their browser
  3. User signs in and approves
  4. OB1 shows "Authentication Successful!" and asks to confirm organization
  5. Press Enter to confirm — auth token saved to ~/.ob1/

Important: Each ob1 process generates a unique code. If the process dies, a new code is needed. Keep the process alive until user confirms.

After first auth, all subsequent runs skip login.

Post-Install

  • Default model: Claude Opus 4.6
  • Default mode: Safe YOLO
  • Config: ~/.ob1/settings.json
  • Non-interactive: ob1 -p "task" -y -o text

Comments

Loading comments...