ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Update Approval Guard

v1.0.0

Use this skill when the user wants scheduled update checks for OpenClaw and installed skills, but does not want automatic mutation. The skill performs dry-ru...

0· 166·1 current·1 all-time
byHIIC-Wayne@waytobetter619
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes a narrow updater that only needs the local openclaw/clawhub commands and workspace storage. However the published package contains dozens of other skill directories, scripts, config files, and baked-in tokens (e.g., feishu app_token, mcporter Bearer tokens, instreet api_key). Those extras are unrelated to a simple update-checker and increase the attack surface and data exposure risk.
!
Instruction Scope
The SKILL.md itself is tightly scoped (dry-run checks, create pending-update.json, apply only on explicit approval). But other included files (AGENTS.md, SOUL.md, memory files) instruct agents to read workspace memory and user files on startup. The package-level instructions encourage reading many files (MEMORY.md, USER.md, etc.), which is scope creep relative to an update-approval helper and could leak sensitive context during scheduled tasks.
!
Install Mechanism
There is no formal install spec (instruction-only), which normally limits risk — but the bundle contains a publish.sh and an UPDATE-APPROVAL-GUARD-PUBLISH.md that describe an automated publish workflow (git init, push to GitHub, publish to ClawHub). That behavior could exfiltrate workspace code or metadata if the script is run. Also many auxiliary scripts and backups are bundled unnecessarily with the single-skill description.
!
Credentials
The skill declares no required env vars or credentials, but the repository includes multiple files with hard-coded tokens and API keys (e.g., config/industry_news_config.json app_token, config/mcporter.json Bearer tokens, instreet api_key). These credentials are unrelated to the update-check workflow and indicate either accidental leakage or an incoherent package composition.
Persistence & Privilege
always is false (good). Model invocation is enabled (default). There is no declared behavior that forces permanent installation, but embedded files/instructions (publish script, cron example) could be used to create persistent cron jobs or publish code if an operator runs them. Autonomous cron-triggered agent turns could read workspace files; combined with the other issues this increases blast radius.
Scan Findings in Context
[ignore-previous-instructions] unexpected: Prompt-injection pattern detected in package SKILL.md pre-scan signals. The update-checker does not need to alter system prompts; presence of these patterns is unexpected and worth manual review.
[you-are-now] unexpected: Another pre-scan prompt-injection indicator. Not expected for a narrow update-approval skill; inspect SKILL.md/AGENTS.md for attempt to override agent role or system prompts.
[system-prompt-override] unexpected: Detected pattern suggests instructions that may try to change the agent/system prompt. This is unrelated to scheduled update checks and should be reviewed.
What to consider before installing
This skill's behavior (check-only then apply after explicit approval) is reasonable, but the provided bundle contains many unrelated scripts, other skills, and hard-coded tokens. Before installing: 1) Inspect publish.sh and do not run it unless you trust it — it may git-init and push code. 2) Search the package for hard-coded secrets (app tokens, API keys) and remove/rotate any you find. 3) Verify cron job creation is performed in an isolated session and that the scheduled job cannot leak workspace files or push to external repos. 4) Review AGENTS.md/SOUL.md behavior: they instruct agents to read memory and user files — ensure that scheduled checks won’t expose sensitive memory to external channels. 5) If you only want the update-check logic, extract and install just the SKILL.md and example cron payload (avoid running publish scripts and unrelated code). If you’re unsure, test in a sandbox workspace (no real credentials) or decline installation until the package is cleaned.
scripts/ocean_daily_news.mjs:100
Shell command execution detected (child_process).
skills/hiic-industry-daily-report/scripts/subscription-manager.mjs:145
Shell command execution detected (child_process).
scripts/industry_daily_news.mjs:86
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/content-extractor.mjs:12
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/generate-report.mjs:116
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/search-aggregator.mjs:49
Environment variable access combined with network send.
skills/hiic-industry-daily-report/scripts/summarize-content.mjs:26
Environment variable access combined with network send.
skills/tavily-search/scripts/extract.mjs:18
Environment variable access combined with network send.
skills/tavily-search/scripts/search.mjs:42
Environment variable access combined with network send.
!
skills/feishu-agent-mesh/scripts/relay-config.json:11
Install source points to URL shortener or raw IP.
!
scripts/industry_daily_news.mjs:26
File read combined with network send (possible exfiltration).
!
skills/hiic-industry-daily-report/scripts/feishu-bitable-saver.mjs:7
File read combined with network send (possible exfiltration).
!
skills/hiic-industry-daily-report/scripts/save-to-bitable.mjs:8
File read combined with network send (possible exfiltration).
!
skills/hiic-industry-daily-report/scripts/search-aggregator.mjs:20
File read combined with network send (possible exfiltration).
!
skills/instreet/scripts/heartbeat.mjs:7
File read combined with network send (possible exfiltration).
!
skills/proactive-agent.backup.20260311_152420/assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent.backup.20260311_152420/references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent.backup.20260311_152420/SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent/assets/HEARTBEAT.md:11
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent/references/security-patterns.md:9
Prompt-injection style instruction pattern detected.
!
skills/proactive-agent/SKILL-v2.3-backup.md:179
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97a28agtyy8v4fj1n4s7dzsf1836cf2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments