ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

grpc-test-automation

v1.0.0

Complete gRPC test automation for embedded devices with C/C++ SDK. Input: requirements.md + SDK (C/C++ headers and libraries) Output: Test framework + JMX +...

0· 36·0 current·0 all-time
by@ventus-z
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, SKILL.md, scripts, and reference docs consistently implement gRPC test automation for a C/C++ SDK (many references to a 'venc' SDK). That alignment is reasonable. Minor mismatch: the skill assumes many external tools (protoc, cmake, make, gRPC libs, JMeter at /opt/jmeter, grpc_cpp_plugin) but the registry metadata lists no required binaries or environment variables.
Instruction Scope
Runtime instructions focus on analyzing SDK headers, generating proto/service wrappers, building a C++ gRPC server, deploying artifacts to an embedded board, running JMeter tests, and producing an Excel report. The instructions do not request unrelated secrets or system files. Note: the workflow includes deploying/mounting artifacts to a board and starting a server listening on 0.0.0.0 (insecure by default) — expected for testing but operationally sensitive.
!
Install Mechanism
There is no formal install spec, but scripts perform network installs at runtime: init_project.sh calls 'pip3 install grpcio grpcio-tools protobuf openpyxl', and generate_report.py will invoke pip (via subprocess) to install openpyxl if missing. These actions fetch packages from PyPI at runtime and write to the host environment. No downloads from arbitrary URLs were observed, but automatic package installation increases risk and should be reviewed.
Credentials
The skill declares no required environment variables or credentials and the code does not attempt to read secrets. It does rely on system tools and specific paths (/opt/jmeter, system protoc/grpc plugins). No environment-variable exfiltration or unrelated credential access was detected.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not try to persist credentials. It will start processes (gRPC server, JMeter) during tests but there is no sign of long-term privilege escalation or forced inclusion.
What to consider before installing
This skill appears to implement what it claims, but review and prepare before running: 1) Inspect scripts (especially init_project.sh, analyze_sdk.py, generate_report.py) and confirm you trust the SDK and repository. 2) Expect the scripts to install Python packages from PyPI at runtime — run these installs in a sandbox or virtualenv if needed. 3) Ensure required tools are present: protoc, cmake, make, gRPC C++ plugin, and JMeter (the templates assume /opt/jmeter). 4) The generated server binds 0.0.0.0 and uses insecure credentials by default — run it in an isolated test network, not on production or Internet-facing hosts. 5) Verify any mounting/deploy steps to your embedded board are safe for that device and do not overwrite critical files. 6) Because some parsing logic in analyze_sdk.py is brittle/specialized (e.g., filters around functions prefixed with 'venc_'), test the analyzer on sample headers first. If you need higher assurance, run the initialization and builds in a VM/container and audit any network activity and installed packages.

Like a lobster shell, security has layers — review code before you run it.

latestvk970bmt1k3p14hj6wxmqgvajzx83wds8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments