Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
skill-forge
v1.3.0A comprehensive tool for creating, documenting, wrapping, and quality-checking professional-grade skills with standardized templates and best practices.
⭐ 0· 55·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (skill creation, templates, docs, QA) aligns with the included files: a CLI script to init/check/package skills, templates, docs, and an OpenClaw hook. Requests and metadata don't ask for unrelated credentials or resources.
Instruction Scope
SKILL.md instructs running the CLI (init/check/wrap/install-deps etc.) and wrapping GitHub repos — expected for this tool. The instructions do not ask the agent to read unrelated secrets or system-wide configs. However, the included CLI implementation executes system commands (checks, installs) and would run package-manager commands and arbitrary shell commands derived from skill metadata, which extends its runtime scope to system package management and shell execution.
Install Mechanism
There is no registry install spec (instruction-only at registry level). The package contains code files but does not automatically download remote executables at install time. This is lower risk than an install that pulls a binary from an arbitrary URL.
Credentials
The skill declares no required environment variables, credentials, or config paths. Nothing in the code requires unrelated cloud credentials. That matches the stated purpose.
Persistence & Privilege
always is false and the OpenClaw hook is optional; the hook contains only periodic console reminders and simple handlers. The skill does not request forced persistent inclusion or modify other skills' configs.
Scan Findings in Context
[child_process.execSync] expected: The CLI uses execSync to run system commands (which/where, brew/apt/winget). Running system package managers is expected for an installer, but shell execution must be used safely.
[shell-command-concatenation] unexpected: Commands are constructed via string interpolation (e.g., `which ${dependency}` and `sudo apt-get install -y ${dependency}`) and executed in a shell; if dependency values are attacker-controlled (from a malicious _meta.json), this can lead to command injection. This is an implementation vulnerability rather than a mismatch of purpose.
[privileged-install-commands] expected: installDependency calls platform package managers and uses sudo/winget/brew where appropriate. That matches dependency-install functionality but may require elevated privileges and could install arbitrary packages.
What to consider before installing
This skill appears to do what it says (create, document, and package skills), but exercise caution before running it on a machine you care about.
Key things to consider:
- Review the scripts before running. The CLI uses execSync to run shell commands and package managers. If you plan to run 'install-deps' or similar commands, inspect _meta.json for any untrusted skill directories first.
- Command-injection risk: dependency names from metadata are interpolated into shell commands without sanitization. Do not run this tool on data from untrusted sources or unreviewed _meta.json files.
- Privilege escalation: installDependency invokes apt/winget/brew and may use sudo. Run in a sandbox or container (or without install commands) if you want to evaluate it safely.
- OpenClaw hook is benign (console reminders) but only enable it if you trust the code; it will run periodically in sessions where hooks are enabled.
If you want higher confidence: ask the author for an explicit review/fix that escapes/sanitizes dependency names and avoids shell command concatenation (use execFile/spawn with argument arrays and no shell), or run the tool in an isolated VM/container and avoid running the automatic install features.scripts/skill-creator.js:299
Shell command execution detected (child_process).
scripts/skill-creator.js:612
Dynamic code execution detected.
scripts/skill-creator.js:733
Environment variable access combined with network send.
scripts/skill-creator.js:239
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk979s6phqrqcg76gske67mp7eh83jc15
License
MIT-0
Free to use, modify, and redistribute. No attribution required.