ClawHub

Cli Anything

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent CLI-generation purpose, but it can fetch changing GitHub code and install Python harness packages into the user's environment without strong consent, pinning, or isolation.

Install only if you trust the upstream CLI-Anything repository and any agent-harness packages you install. Review harness contents before /cli-install, prefer an isolated virtual environment or container, avoid running it on untrusted repositories, and remove ~/.openclaw/cli-anything plus installed CLI packages when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f"   目录: {harness_dir}")
    
    # 安装到当前用户
    result = subprocess.run(
        ["pip", "install", "-e", "."],
        cwd=harness_dir,
        capture_output=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["pip", "install", "-e", "."], cwd=harness_dir, capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""确保 CLI-Anything 仓库已安装"""
    if not INSTALL_DIR.exists():
        print(f"📥 克隆 CLI-Anything 仓库...")
        subprocess.run(["git", "clone", CLI_ANYTHING_REPO, str(INSTALL_DIR)], check=True)
        print(f"✅ 已克隆到 {INSTALL_DIR}")
    else:
        print(f"📂 CLI-Anything 已安装: {INSTALL_DIR}")
Confidence
86% confidence
Finding
subprocess.run(["git", "clone", CLI_ANYTHING_REPO, str(INSTALL_DIR)], check=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises operational capabilities that involve reading local source trees and invoking shell/package-management tooling, but it does not declare corresponding permissions or user-consent boundaries. In an agent setting, undeclared file and shell access increases the chance of silent filesystem inspection or command execution beyond what a user expects, which is a real security issue even if the functionality is part of the intended workflow.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior goes beyond 'building a CLI from software source' and includes cloning remote repositories, installing generated or prebuilt packages into the system environment, and relying on external coding agents for parts of the pipeline. That mismatch is dangerous because users may approve the skill for source analysis but unintentionally authorize network retrieval and local environment modification, which can lead to supply-chain exposure and unwanted system changes.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The skill's real behavior includes cloning external code and installing harness packages, which expands its authority from 'generate CLIs' to arbitrary software retrieval and package installation. In an agent context, that broader-than-advertised capability is dangerous because it can be used to introduce and execute untrusted code on the host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README instructs users to build CLIs from arbitrary local paths or remote GitHub repositories, then install and run the generated tooling, but it does not warn that these steps may execute untrusted code, install packages, or alter the local environment. In an agent-driven context, this is more dangerous because the skill explicitly targets automatic control of arbitrary software, increasing the chance that users or agents will perform high-risk actions without understanding the trust boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic cloning on first use introduces unannounced network access and downloads executable code or build artifacts from a remote source. In an agent context, implicit retrieval materially raises supply-chain and consent risks because remote content can change over time and the user is not clearly prompted before the fetch occurs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Installing a local package with `pip install -e .` can execute arbitrary code from package metadata, build hooks, and dependencies. The script does this without an explicit warning that installation is code execution, increasing the chance that a user or agent will run untrusted harness code under false assumptions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal