Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Pywayne Bin Cmdlogger
v0.1.0Execute commands with real-time console output while logging all stdin, stdout, and stderr to a customizable log file for monitoring and debugging.
⭐ 0· 580·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the SKILL.md (a command I/O logger). However, the SKILL.md presumes a 'cmdlogger' executable and provides no implementation or install instructions—so it's unclear whether the agent is expected to implement this behavior itself, or rely on a preinstalled binary. That mismatch is surprising and worth clarifying.
Instruction Scope
The runtime instructions direct running arbitrary commands and recording all stdin, stdout, and stderr, including interactive sessions (e.g., SSH, GDB, Python REPL). While this aligns with the claimed purpose, it also means the skill will capture sensitive inputs (passwords, passphrases, secret tokens that might be typed) and potentially long/unbounded output. The SKILL.md warns about sensitive input but provides no instructions for redaction, access control, or safe defaults.
Install Mechanism
There is no install spec and no code files; the skill is instruction-only, so nothing will be written to disk by the installer. That minimizes supply-chain risk, but it increases ambiguity about how the documented 'cmdlogger' is expected to exist in the runtime.
Credentials
No credentials or env vars are requested, which is appropriate. However, because the skill logs stdin/stderr/stdout broadly (including interactive input), it can capture secrets that the skill did not explicitly ask for. The skill provides no guidance on securing or limiting log file access, redaction, encryption, or retention.
Persistence & Privilege
The skill does not request always:true and is user-invocable only. It does not attempt to modify other skills or agent-wide settings. There is no persistent installation footprint declared.
Scan Findings in Context
[no_code_files] expected: This is an instruction-only skill (SKILL.md only). The regex-based scanner had no code to analyze, which is expected but removes one source of static analysis signal.
What to consider before installing
This skill describes a tool that will record everything you type and everything commands print — including passwords, SSH passphrases, tokens, and other secrets. Before installing or using it: (1) Confirm where the actual 'cmdlogger' implementation comes from and only use a vetted binary or trusted source; (2) Never run it with interactive commands that request secrets (SSH logins, sudo passwords, OTP entry) unless you accept the risk; (3) Specify a secure --log-path (not world-readable), restrict file permissions, implement log rotation, and consider encrypting logs at rest; (4) Prefer tools that support redaction/filters if you need to avoid capturing secrets; (5) If you intended this as documentation for an external tool, ask the publisher to add installation instructions and explicit safeguards (redaction, retention policy). If you cannot verify the implementation or cannot ensure log security, avoid enabling this skill for sensitive workflows.Like a lobster shell, security has layers — review code before you run it.
latestvk97crrwa7eak8myvqj0jc9xrn581486y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.