ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Runtime Verifier

v1.0.0

Use when a code change must be verified by actually running the app, endpoint, or CLI flow instead of relying only on unit tests.

0· 54·0 current·0 all-time
by@wimi321
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the instructions (actually running apps/CLIs to verify changes). However, the skill declares no required binaries or environment details even though runtime verification typically requires specific tools, commands, or startup scripts — a modest mismatch in declared requirements versus expected capabilities.
!
Instruction Scope
SKILL.md tells the agent to 'start the needed app, server, or CLI environment' and to 'execute the runtime checks' but is intentionally vague about what commands to run, what files or env vars to read, and what external endpoints to contact. That open-ended guidance grants broad discretion and could lead the agent to access sensitive files/credentials or make network calls unless constrained by the operator or platform sandboxing.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by the skill itself, which minimizes installation risk.
Credentials
The skill requests no environment variables or credentials, which is appropriate on its face. However, because the runtime instructions may require invoking local tools or reading env/configuration in practice, the lack of declared dependencies or guidance about permitted secrets is noteworthy.
Persistence & Privilege
Skill is not marked always:true and does not request persistent presence or system-wide configuration changes. Autonomous invocation is allowed (platform default) but not accompanied by other privilege escalations.
What to consider before installing
This skill is coherent with its stated purpose but is intentionally high-level and grants the agent broad ability to run processes and interact with systems. Before installing or using it: (1) require a clear, pre-authorized verification plan that lists exact commands, files, ports, and endpoints the agent may use; (2) run verifications in an isolated sandbox/container or test environment to avoid exposing secrets or production data; (3) avoid providing long-lived credentials — use ephemeral or scoped credentials if external services are needed; (4) ask the skill author to declare required binaries and any expected environment variables; and (5) consider adding explicit guardrails in the prompt or platform (no network access, no reading of ~/ or /etc, etc.) to limit accidental access to sensitive data.

Like a lobster shell, security has layers — review code before you run it.

claude-codevk975tps7tvec1n743zdhq5btq1842qkmextractedvk975tps7tvec1n743zdhq5btq1842qkmlatestvk975tps7tvec1n743zdhq5btq1842qkm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments