Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
obs
v1.0.1Comprehensive Open Build Service (OBS) management with full API support for projects, packages, repositories, builds, submit requests, files, users, and search.
⭐ 0· 86·1 current·1 all-time
bywei dong@weidongkl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (OBS management) match the included scripts and library: the skill calls the OBS API, manages projects/packages/builds/files, and asks for OBS credentials (API token or oscrc). The only minor inconsistency is that the registry metadata lists no required env vars while SKILL.md and the scripts clearly expect OBS_APIURL/OBS_USERNAME/OBS_TOKEN or ~/.config/osc/oscrc.
Instruction Scope
Runtime instructions and included scripts read/write user config (~/.config/osc/oscrc), may append credentials to shell rc files (~/.bashrc or ~/.zshrc), create temp cookie files in /tmp, and suggest creating a symlink in /usr/local/bin. The API helper uses eval to build and run curl commands (obs_api_call), which can introduce command‑injection risk if inputs are not strictly sanitized. These behaviors are within the tool's purpose but increase risk and should be reviewed before use.
Install Mechanism
No network install/downloads or external installers are used; this is an instruction-and-script package bundled with the skill. That lowers supply-chain risk compared with arbitrary remote downloads. All code is present in the repository for inspection.
Credentials
The credentials requested (OBS username and API token or oscrc) are appropriate for an OBS client. However, the skill metadata did not declare these required env vars even though SKILL.md and scripts depend on them; that's an inconsistency to be aware of. The setup script stores the token in ~/.config/osc/oscrc and optionally appends it to the user shell rc — storing secrets in shell rc is not best practice.
Persistence & Privilege
The skill does not request global 'always' privilege. The included setup script writes to per-user config files and can append environment variables to shell rc; it also suggests creating a symlink in /usr/local/bin (which requires elevated privileges). These are reasonable for a CLI tool but require user consent and care (avoid running as root unless intended).
Assessment
What to check before installing/running:
- Review the two bundled scripts (references/obs-lib.sh and scripts/obs-expert-setup.sh) yourself; all code is included.
- The skill needs your OBS API token (OBS_USERNAME/OBS_TOKEN) or an oscrc file; only supply a token you trust and keep it minimal-scope and rotatable.
- The setup script will write ~/.config/osc/oscrc and can append credentials to your shell rc (~/.bashrc or ~/.zshrc). Prefer using ~/.config/osc/oscrc with chmod 600 rather than storing tokens in shell rc.
- Do not run the setup script as root unless you deliberately want to create system-wide symlinks; creating a symlink in /usr/local/bin requires root and expands the attack surface.
- The API library uses eval to construct curl commands; if you plan to pass filenames or other inputs containing untrusted content, inspect or sanitize inputs to avoid command injection.
- Test in a safe environment (non-production user or container) first. If you proceed, rotate the token after initial testing and follow least-privilege practices.
- If anything looks unexpected (external endpoints other than api.opensuse.org, unusual network calls, or credential exfiltration), do not proceed and ask for clarification from the author.Like a lobster shell, security has layers — review code before you run it.
build-systemvk973gcc9s9f0t8xwvxf0yp8yd983f8j0latestvk972mh85zhcq265bftew31pw8n83fvseobsvk972mh85zhcq265bftew31pw8n83fvseopensusevk972mh85zhcq265bftew31pw8n83fvsepackagingvk972mh85zhcq265bftew31pw8n83fvse
License
MIT-0
Free to use, modify, and redistribute. No attribution required.