ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Acl Rule Analysis

v0.1.1

Vendor-agnostic ACL and firewall rule analysis with shadowed rule detection, overly permissive rule identification, unused rule discovery, redundant rule fla...

0· 71·1 current·1 all-time
byVahagn Madatyan@vahagn-madatyan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (vendor-agnostic ACL/firewall analysis) matches the instructions: the SKILL.md and references provide read-only retrieval commands and vendor-normalization logic. Minor inconsistency: the top registry metadata lists no required binaries/env, but the SKILL.md metadata explicitly lists 'ssh' in its openclaw.requires.bins field and the text assumes SSH/API/console access. This is plausible (you will need device access) but the declared registry requirements should match the runtime instructions.
!
Instruction Scope
Most instructions are read-only (show/get/test commands, API GETs, hit-count checks) and stay within the stated purpose. However, the CLI reference includes 'clear access-list counters' and related 'clear hit counts' entries (explicitly noted as 'Clear hit counts (pre-audit baseline)') — these are modifying operations and conflict with the SKILL's 'read-only' safety metadata and the Prerequisites statement. The presence of modifying operations in the documentation is scope creep and could be misused on production devices if followed without care.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest install risk. Nothing will be downloaded or written by the skill bundle itself.
Credentials
The skill declares no required environment variables or primary credential, which is reasonable for an instruction-only audit guide. In practice the procedure requires device access (SSH/API credentials, console access) which are not represented as required env vars — this is not necessarily malicious but the skill should document how credentials are supplied and any recommended scope (least-privilege, read-only accounts).
Persistence & Privilege
No 'always: true'. The skill does not request persisting settings or modifying other skills. It appears to be intended for on-demand invocation and not permanent/autonomous presence.
What to consider before installing
This is an instruction-only ACL/firewall analysis skill and appears to implement the claims, but before using it: 1) Confirm how you'll supply device credentials (SSH/API) and ensure they are least-privilege (read-only) — the skill expects device access but doesn't declare credential handling. 2) Beware of the documented 'clear access-list counters' / 'clear hit counts' commands in the references — those are write operations and will alter device state; do not run them on production unless you intentionally want to reset counters. 3) Verify the registry/metadata mismatch about requiring 'ssh' so the runtime environment provides the necessary client if you intend to connect over SSH. 4) Because this skill runs commands against network devices, test it first in a lab or read-only snapshot/exported rulebase to avoid accidental changes. If the author can confirm the skill never issues modifying commands by default (and documents safe credential usage), the remaining issues are minor.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rdzfmjrk3yj6a59z9y45bs83ceb3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments