ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Deepsafe Scan

v2.0.1

Preflight security scanner for AI coding agents — scans deployment config, skills/MCP servers, memory/sessions, and AI agent config files (hooks injection) f...

0· 213·0 current·0 all-time
by@xiaoyiweio
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the delivered artifacts: Python scripts implement posture/skill/memory/hooks scans and model probes. Requiring python3 and shipping static analyzers, probe templates, and an LLM client is proportionate to the stated functionality. One mismatch: the skill auto-enables a gateway chatCompletions endpoint by editing ~/.openclaw/openclaw.json (scripts/llm_client.py), which is beyond a passive scanner's expected read-only behavior.
!
Instruction Scope
SKILL.md instructs scanning sensitive local areas (agents/, credentials/, ~/.openclaw, logs, workspace), and the code will auto-detect and use ANTHROPIC_API_KEY / OPENAI_API_KEY or an OpenClaw gateway token. That data may be sent to external LLM endpoints during model probes. The skill also presents itself as able to 'help fix issues' and the llm_client contains logic that writes to openclaw.json to enable an endpoint — this expands scope from read/scan to modification and potential configuration changes.
Install Mechanism
Install spec is lightweight: a brew package for python3 only. No remote archive downloads or npm/pip installs. The install mechanism is proportionate.
Credentials
The skill declares no required env vars but the runtime auto-detects and will read ANTHROPIC_API_KEY, OPENAI_API_KEY, and OpenClaw gateway token (and potentially OPENCLAW_GATEWAY_TOKEN / OPENAI_BASE_URL). These are expected for the model-probe features, but you should be aware the skill will use any detected keys without an explicit requirement prompt. If you don't want keys used, SKILL.md shows a --no-llm flag to avoid LLM calls.
!
Persistence & Privilege
scripts/llm_client.py contains _ensure_chat_completions_enabled which modifies the user's ~/.openclaw/openclaw.json to enable a gateway endpoint. This is a write to another tool's configuration and qualifies as modifying other agent/system settings—an intrusive privilege. The skill is not always:true, but it requests the ability to modify external config files at runtime.
Scan Findings in Context
[system-prompt-override] expected: Prompt injection / system-prompt override patterns appear in data/prompts.json and the probes. This is expected because the skill implements model-behavior probes that intentionally test for such vulnerabilities; however these same patterns are dangerous if present in scanned artifacts or used accidentally against production models.
What to consider before installing
This scanner is largely consistent with its stated purpose, but exercise caution before running it on your real environment: - Backup any agent/gateway config (e.g., ~/.openclaw/openclaw.json) before running. The tool contains code that will modify that file to enable a chatCompletions endpoint. - If you do not want any external LLM access (and to avoid sending sensitive data to third-party APIs), run with --no-llm or do not expose ANTHROPIC_API_KEY / OPENAI_API_KEY / gateway tokens to the environment. - Review the code (scripts/llm_client.py, scripts/scan.py, and probe files) yourself if possible — the probes contain deliberate prompt-injection and persuasion templates used to test models. - Run scans in an isolated or disposable environment (not on production machines) and avoid running as root; the skill will read many sensitive local files (credentials, logs, sessions). - If you want only static analysis, use the --no-llm flag and ensure the tool cannot access your API keys or the OpenClaw gateway token. Given the tool's capability to modify other agent configs and to use detected API credentials automatically, only install or run it after you are comfortable with those behaviors.
!
scripts/scan.py:566
File read combined with network send (possible exfiltration).
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

auditvk97984yg96334yksv884rfbpm182tpd5deceptionvk97984yg96334yksv884rfbpm182tpd5deepsafevk97984yg96334yksv884rfbpm182tpd5hallucinationvk97984yg96334yksv884rfbpm182tpd5latestvk9749c8nrkad3w8y8fyhxg5m5h843yeamemory-scanvk97984yg96334yksv884rfbpm182tpd5model-safetyvk97984yg96334yksv884rfbpm182tpd5openclawvk97984yg96334yksv884rfbpm182tpd5persuasionvk97984yg96334yksv884rfbpm182tpd5piivk97984yg96334yksv884rfbpm182tpd5posturevk97984yg96334yksv884rfbpm182tpd5prompt-injectionvk97984yg96334yksv884rfbpm182tpd5sandbaggingvk97984yg96334yksv884rfbpm182tpd5scannervk97984yg96334yksv884rfbpm182tpd5secretsvk97984yg96334yksv884rfbpm182tpd5securityvk97984yg96334yksv884rfbpm182tpd5skill-scanvk97984yg96334yksv884rfbpm182tpd5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🛡️ Clawdis
Binspython3

Install

Install Python 3 (brew)
Bins: python3

Comments