ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bundle

v1.0.0

Package directories into distributable bundles with manifests. Use when creating release packages, verifying contents, or generating checksums.

0· 98·0 current·0 all-time
bybytesagain4@xueyetianya
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The skill's name, description, SKILL.md, and the included script all align: they implement bundling, manifests, verification, listing, sizing, and extraction. Minor inconsistency: metadata listed no required binaries, while SKILL.md notes "bash 4.0+" and the script relies on standard Unix tools (tar, sha256sum, find, du). These are expected for the stated purpose but were not enumerated in the registry metadata.
Instruction Scope
SKILL.md directs the agent to run the included scripts/script.sh commands. The script operates only on user-provided paths and creates a local data directory (~/.local/share/bundle). It does not read unrelated system files, environment variables, or contact external endpoints. Commands like extract use tar which can overwrite files if run on untrusted archives; this is expected behavior for an extraction tool but is worth noting.
Install Mechanism
There is no install spec (instruction-only), and the only shipped code is a shell script. No downloads or archive extraction during installation are required, minimizing installation risk.
Credentials
The skill does not request any environment variables, credentials, or external config paths. It does create and use ~/.local/share/bundle for local data, which is proportionate to its stated need to store metadata/caches.
Persistence & Privilege
The skill is not always-enabled and does not request elevated privileges or modify other skills or global agent config. Its persistent effect is limited to creating a directory under the user's home directory.
Assessment
This skill appears coherent and local-only: it packages directories with tar, computes/validates SHA256 checksums, lists and extracts bundles, and stores data in ~/.local/share/bundle. Before installing or running: (1) ensure you have/allow the standard tools it uses (bash, tar, sha256sum, find, du); (2) review any bundles before extraction — tar -xzf can overwrite files or be abused by crafted archives (path traversal, symlinks); (3) note the script will create a directory in your home for data; (4) if you need stricter guarantees, run the script in a sandbox or inspect the script contents (they are included) before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ak18facv0yss03fftbjf7z983646j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments