Cli Anything
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill’s purpose is clear, but it can download changing GitHub code and install generated command-line tools that let an agent control local software.
Install only if you trust the upstream CLI-Anything project and the specific generated CLI harnesses. Prefer pinned/reviewed versions, use a virtual environment, and approve each /cli-install or generated CLI action before allowing the agent to control local applications.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Code installed or run later may differ from what was reviewed here, so a changed or compromised upstream/harness could execute unexpected installation code on the user’s machine.
The skill downloads the latest upstream repository and installs a package from the cloned/generated harness; the artifacts do not pin a reviewed commit, tag, hash, or lockfile.
CLI_ANYTHING_REPO = "https://github.com/HKUDS/CLI-Anything.git" ... subprocess.run(["git", "clone", CLI_ANYTHING_REPO, str(INSTALL_DIR)], check=True) ... ["pip", "install", "-e", "."]
Pin a specific reviewed release or commit, verify integrity before installation, and show users the exact source being installed.
This is expected for installing generated CLIs, but pip installation can execute package setup code and modify the Python environment.
The /cli-install path invokes pip to install an editable Python package from the selected harness directory.
result = subprocess.run(["pip", "install", "-e", "."], cwd=harness_dir, capture_output=True, text=True)
Install only trusted generated CLIs, preferably inside a virtual environment or otherwise isolated Python environment.
Once installed, a generated CLI may let the agent edit files, automate creative tools, or control apps with real-world effects such as recording or document export.
The stated purpose is to let an agent drive many local applications through generated CLIs.
让任意软件都能被 AI Agent 驱动。 ... 支持 GIMP、Blender、LibreOffice、OBS 等软件。
Approve each generated CLI deliberately and avoid enabling tools for sensitive applications unless the task requires it.
Installed commands remain available for future agent or user use until uninstalled, although the artifacts do not show hidden background activity.
The repository and installed CLI commands persist beyond a single invocation.
INSTALL_DIR = Path.home() / ".openclaw" / "cli-anything" ... print(f" 命令: cli-anything-{software_name}")Remove unused CLIs with pip uninstall and delete the ~/.openclaw/cli-anything clone if no longer needed.