Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Skill Runner
v1.0.0Enables secure execution of specified OpenClaw skills via cron jobs by forwarding agentTurn messages and passing the necessary context.
⭐ 0· 84·1 current·1 all-time
by@xpneuma
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's goal (invoke another skill's exported skill() function with the same context) is consistent with its name and description, but the implementation uses a hard-coded absolute path (/home/bosunjung/.openclaw/workspace/skills) and will attempt to import arbitrary files. The hard-coded username path is unexpected and likely incorrect for most installations. Allowing arbitrary skill names to resolve to filesystem paths is broader than the description implies.
Instruction Scope
SKILL.md promises a 'secure' proxy that passes a context object to a target skill. The code indeed forwards the full context to the imported skill, but there is no validation, allowlist, or sanitization of the requested skill name. This enables directory traversal (e.g., '../') and arbitrary local module execution, and it grants the target skill the same tools/privileges the runner has — behavior that is potentially dangerous and not mitigated by the instructions.
Install Mechanism
No install spec and no external downloads are present; the skill is instruction/code-only. That minimizes supply-chain install risk. The included index.js should still be reviewed and audited before use.
Credentials
The skill declares no environment variables or credentials (which is proportionate). However, it accesses the host filesystem at an absolute path and dynamically imports local modules; filesystem access is implicit and broad. The hard-coded path is suspicious and may expose unintended files if the runtime user has wide filesystem permissions.
Persistence & Privilege
always is false and the skill doesn't request special platform privileges. However, because it can be invoked (cron payloads or other agentTurn messages) to execute arbitrary local code and passes its own context into that code, it effectively widens the blast radius of any skill that can be invoked through it. That makes message-source validation and allowlisting important.
What to consider before installing
This skill can run other local skills by importing their index.js and passing them the runner's full context. Before installing, consider: 1) The code hard-codes /home/bosunjung/... — confirm that path is correct for your environment or request that the author make the base path configurable. 2) The message payload ("run <skill-name>") is not sanitized or allowlisted — an attacker who can send cron payloads or agentTurn messages could request 'run ../../some/path' and cause arbitrary local file execution. Require an allowlist of permitted skill names or validate against a strict pattern (e.g., /^[a-z0-9_-]+$/). 3) The runner forwards its full context (tools, sessions) to the invoked skill — limit the context or use capability-scoped proxies so untrusted skills can't access more than they need. 4) Run this skill as a least-privileged user and ensure the runtime cannot read sensitive files from the filesystem; avoid running as root. 5) Ask the author to remove the hard-coded username path, add input sanitization, implement an allowlist, and document exactly which capabilities are passed to invoked skills. If you cannot confirm these changes, consider this skill risky and avoid installing it on production or multi-tenant systems.Like a lobster shell, security has layers — review code before you run it.
latestvk979fgmphphqd92hnrsr4ydvwn838wph
License
MIT-0
Free to use, modify, and redistribute. No attribution required.