ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huawei Device Inspector

v1.0.0

通过SSH自动巡检华为交换机和路由器,执行状态检查、告警和安全风险排查,生成详细健康报告。

1· 93·1 current·1 all-time
by聿歆@v585
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (Huawei device SSH inspection) aligns with the instructions to SSH and run display commands. However, the SKILL.md embeds concrete device IPs and plaintext credentials instead of asking the user to provide or store credentials securely; that is unexpected for a reusable skill.
!
Instruction Scope
The instructions tell the agent to spawn interactive SSH sessions via pexpect and run many device commands (expected). But they also include hard-coded management addresses and passwords, and advise disabling host key checking (-o StrictHostKeyChecking=no). The instructions do not specify how credentials should be supplied, validated, or limited, and they would cause the agent to connect to specific hosts automatically if run as-is.
Install Mechanism
This is an instruction-only skill with no install spec; it lists reasonable runtime dependencies (Python3 + pexpect, optional sshpass). No downloads or archive extracts are present.
!
Credentials
requires.env is empty but the SKILL.md contains plaintext usernames and passwords and specific management IPs. The skill requests no declared secrets while expecting access to device credentials — that mismatch is disproportionate and increases risk (hard-coded secrets, unclear secret sourcing).
Persistence & Privilege
The skill is not always-enabled and has no install-time persistence. It does not request system-wide configuration changes or elevated platform privileges.
What to consider before installing
This skill does what it says (connects to Huawei devices over SSH and runs inspection commands), but it includes hard-coded device IPs and plaintext credentials inside SKILL.md. Do NOT run it as-is on your network. Before installing: - Treat the listed IPs/credentials as potentially sensitive and either remove them or confirm they are safe test accounts. - Replace embedded credentials with user-supplied secrets (environment variables, secure prompt, or secret store) and declare them in the skill metadata. - Prefer SSH key authentication and avoid disabling host-key checking. - Review every command the skill will run to ensure it won't reveal or exfiltrate config/state you don't want sent elsewhere. - If you intend to use it in production, run it in a controlled environment and limit network access (sandbox/VPN) until you verify behavior. If you cannot validate the source or intended targets, consider this skill unsafe to run.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v8gq938n3edjtbxr7eak1583b3an

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments