ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

threat-detection

v0.1.0

Exact detection thresholds for identifying malicious network patterns including port scans, DoS attacks, and beaconing behavior.

0· 32·0 current·0 all-time
by@wu-uk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description (network threat detection thresholds) match the SKILL.md content. However, the examples repeatedly import a local helper (pcap_utils) via sys.path.insert('/root/skills/pcap-analysis') even though the skill has no code files or install spec declaring that dependency. That dependency is necessary to run the provided examples but is not provided or documented in the registry metadata.
!
Instruction Scope
Instructions tell the agent to analyze packet captures (tcp_packets, ppm_avg/ppm_max, iat_cv), which is expected, but they also direct the interpreter to add an absolute system path (/root/skills/pcap-analysis) to sys.path. That path could access other skill code or arbitrary files on disk; the SKILL.md does not explain where tcp_packets come from, how pcap_utils is provisioned, or what disk locations will be read, giving the agent broad discretion.
Install Mechanism
This is instruction-only (no install spec and no code files), so nothing is written to disk by an installer. That minimizes direct supply-chain risk, but it increases reliance on unspecified local modules and environment assumptions.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. However, it assumes access to packet captures and to a specific local path (/root/skills/pcap-analysis). That implicit requirement (reading local files/modules) is not declared and could expose unrelated data or depend on other skills' files.
Persistence & Privilege
The skill is not always-on and uses the default model-invocation behavior. It does not request persistent privileges or claim to modify other skills or system-wide settings.
What to consider before installing
This skill is suspicious because it references an undeclared local helper library at /root/skills/pcap-analysis (pcap_utils) and assumes access to packet capture data without documenting how those inputs are provided. Before installing or using it: 1) Ask the author where pcap_utils and the packet data come from and require an explicit install step or bundled code. 2) Verify that /root/skills/pcap-analysis (or any absolute path) does not give the skill access to unrelated files or other skills' code. 3) If you must run the examples, do so in an isolated environment where you control the pcap input and can inspect pcap_utils source. 4) Be aware the thresholds are strict and may produce false negatives/operational surprises; validate them on labeled test data. If the author cannot explain/provide the missing module and inputs, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r9n6jjvqv415s47vtvmz1984t1j0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments