ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Skill Dependency Resolver

v0.1.0

Automatically detects and resolves conflicting Python package versions across multiple skill requirements.txt files, generating a merged, conflict-free requi...

0· 41·0 current·0 all-time
by@utopiabenben
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The declared purpose (detect and resolve Python package version conflicts across skills) matches what the code and CLI attempt to do. No unrelated credentials, binaries, or network access are requested. The package is self-contained and uses only the Python standard library.
!
Instruction Scope
SKILL.md and README claim recursive scanning (os.walk), skipping tests/node_modules, and support for a wide range of version operators (>=, <=, ~=, != and range expressions). The actual implementation: - scans only top-level children of the provided skills_dir (does not recurse) - detects conflicts only by collecting exact '==' versions (it ignores ranges for conflict detection) - parsing and conflict logic are simplistic (regex + digit-only version extraction). These are functional mismatches: the runtime behavior is narrower than documented and may miss conflicts or produce incorrect merges. Additionally, manual mode uses input() which will block in non-interactive contexts.
Install Mechanism
No remote downloads or third-party package installs. install.sh creates a symlink of the CLI into ~/.local/bin and marks the script executable. This is low-risk but does modify the user's ~/.local/bin and may overwrite an existing CLI (it attempts to back up with .bak).
Credentials
The skill requests no environment variables, no credentials, and no config paths. It reads requirements.txt files under the user-supplied skills_dir and writes a merged requirements file to an output path supplied by the user — all of which are proportional to its stated purpose.
Persistence & Privilege
The skill does not request always:true, does not install background services, and does not modify other skills' configs. Its only persistent change (if installed) is a symlink in ~/.local/bin pointing to the skill script.
What to consider before installing
This skill is not obviously malicious, but its documentation overpromises relative to what the code actually does. Before installing or running: 1) Review/verify behavior in a sandbox: run the CLI against a controlled test skills_dir and inspect the generated requirements-merged.txt before using it. 2) Be aware the resolver only detects conflicts for exact '==' versions and will likely miss or mishandle ranges and complex specifiers; do not rely on it to find all incompatibilities. 3) Manual mode uses interactive input(), which will hang in non-interactive automation; avoid using it in CI without modification. 4) install.sh creates a symlink in ~/.local/bin and may back up an existing file to .bak — confirm you allow that file operation. 5) If you need full operator/range handling or recursive scanning, ask the author for code updates or run the tests and extend resolver.py; otherwise treat outputs as advisory and always inspect the merged file before applying pip installs.

Like a lobster shell, security has layers — review code before you run it.

dependencyvk97ch4x2n88bbbye3e8pkt309183r0hsdevopsvk97ch4x2n88bbbye3e8pkt309183r0hsinstallationvk97ch4x2n88bbbye3e8pkt309183r0hslatestvk97ch4x2n88bbbye3e8pkt309183r0hsqualityvk97ch4x2n88bbbye3e8pkt309183r0hs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments