WSL-PowerShell Controller
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it says, but it gives an agent broad ability to run Windows PowerShell commands from WSL, including scripts and elevated/admin workflows, so it needs careful review before use.
Use this skill only if you want OpenClaw to be able to run Windows PowerShell from WSL. Treat it like giving the agent a terminal on your Windows host: review every command, avoid untrusted scripts, be cautious with administrator prompts, and prefer pinned or reviewed installation sources.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent runs the wrong command, it could change or delete Windows files, stop processes, alter settings, or run other programs on the host.
The helper script passes arbitrary user or agent-provided text directly to Windows PowerShell. That is the skill's stated purpose, but it is an unscoped high-impact command channel to the Windows host.
"$pwsh_path" -NoProfile -Command "$cmd"
Install only if you intentionally want the agent to control Windows PowerShell. Review commands before execution, avoid using it for broad or destructive tasks, and consider requiring explicit user approval for every invocation.
A selected script can run as Windows PowerShell even when normal execution policy might otherwise block it.
When executing certain script files, the script pipes file contents into PowerShell with ExecutionPolicy Bypass. Script execution is expected for this skill, but bypassing execution policy reduces a Windows safety control and is not prominently bounded.
cat "$file" | "$pwsh_path" -ExecutionPolicy Bypass -NoProfile -Command -
Only run scripts you trust, inspect script contents first, and avoid using the file-execution mode on untrusted or downloaded files.
If approved, commands may run with administrator privileges and can make system-wide changes.
The documentation explicitly tells users how to launch elevated PowerShell. This is disclosed and user-directed, but it can cross into administrator-level changes.
Some operations require administrator privileges, use `-Verb RunAs` for elevated PowerShell
Use elevation only for tasks that truly require it, and confirm the exact command before approving any UAC or administrator prompt.
Following the README installation commands later could install code that differs from the artifact reviewed here.
The README suggests installing from the live GitHub repository or main branch ZIP rather than a pinned commit. The reviewed artifact includes source, but these alternate install paths could fetch different future code.
git clone https://github.com/TYzzt/wsl-powershell.git ... wget https://github.com/TYzzt/wsl-powershell/archive/refs/heads/main.zip
Prefer the reviewed registry package or pin any GitHub install to a specific trusted commit before running it.