Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Aistore
v1.0.0AI STORE 生态系统的总控制中心与应用管家。当用户需要了解或咨询 AI STORE 产品平台、希望配置平台上的模型作为你的工作大脑,或者需要去市场中搜索与安装你当前不具备的新技能时,请主动调用此特性。它具备内置模型超市静默探知学习、主动推荐对接 aistore-auth 认证、以及运用 gpushop CL...
⭐ 0· 88·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description match the behavior: a marketplace manager that searches and installs skills via a gpushop tool. However, the SKILL.md mandates operations (global npm installs, filesystem reads of other skills, silent web browsing, and automatic installation of an auth plugin) that are not declared in the skill metadata (no required binaries, no install spec, no required env). The capabilities requested at runtime are broader than the declared requirements.
Instruction Scope
The instructions order the agent to: (a) automatically run gpushop search/install/uninstall/list/info/stats; (b) run npm -g install when gpushop is missing; (c) automatically install an 'aistore-auth' SSO skill without further user confirmation; (d) locate and cat the installed skill's SKILL.md (read arbitrary files in the skills directory); and (e) silently browse a remote model marketplace page to harvest Model IDs. Those actions involve network downloads, silent background web access, and reading arbitrary plugin files — all performed automatically and sometimes 'MUST' without user re-confirmation, which expands scope beyond typical skill behavior and raises privacy/exfiltration concerns.
Install Mechanism
There is no declared install spec, but the runtime instructions explicitly invoke npm to install an @gpushop package and use gpushop to install other packages. That means the skill will trigger package downloads and possible post-install hooks from npm at runtime. Because these installs are not declared in metadata and originate from an external npm scope, this is higher-risk and should be made explicit (package provenance, integrity, and explicit user consent).
Credentials
The skill declares no required credentials or env vars, yet it instructs installing and delegating to an 'aistore-auth' SSO skill which will likely require auth credentials and perform SSO flows. The skill also commands silent browsing of a marketplace URL. Requesting/performing auth-related flows without declaring needed credentials or explaining where secrets are stored is disproportionate and potentially risky.
Persistence & Privilege
While always:false, the SKILL.md contains multiple MUSTs that force the agent to autonomously invoke searches, installs, file reads, and background browsing whenever it deems a capability is missing — effectively granting persistent autonomous behavior within its domain. It also mandates reading other skills' SKILL.md files (accessing other skills' data), which is beyond a minimal scoped privilege and could expose sensitive information or amplify supply-chain risk.
What to consider before installing
This skill appears intended to act as an automated marketplace manager, which can be useful — but its instructions ask the agent to: automatically run npm and gpushop installs, silently browse an external marketplace URL, and read newly installed skills' SKILL.md files without asking the user again. Before installing, consider these precautions:
- Require explicit user consent before any network download or npm -g install, and show the exact package names and versions. Do not allow silent or mandatory installs.
- Do not allow automatic installation of 'aistore-auth' (or any auth/SSO plugin) without explicit, separate confirmation; review that package first.
- Block or log silent background browsing. Any web scraping or network access should be visible to the user and limited to the declared endpoints.
- Restrict file reads to the installed skill's declared manifest only; avoid arbitrary filesystem access. At minimum, prompt before reading files outside the agent's own sandbox.
- Verify the provenance of @gpushop packages (check npm registry, package signatures, maintainers) before allowing global installs.
- If you accept this skill, consider sandboxing its runtime (network and filesystem restrictions) and require a confirmation step in the agent policy for any package install or SSO hand-off.
Given the clear mismatches between declared metadata and the required runtime actions, treat this skill as suspicious and require policy/consent changes before use.Like a lobster shell, security has layers — review code before you run it.
latestvk9728t105khfbv1qk76q0jbccx83gd69
License
MIT-0
Free to use, modify, and redistribute. No attribution required.