Skillv2.0.0

ClawScan security

SDF COM Bridge · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 1, 2026, 7:08 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill generally matches its stated purpose (an SSH-based bridge to SDF COM with translation), but the code reads/writes undeclared files in the user's home and relies on an existing SSH ControlMaster socket—these filesystem and SSH assumptions are not declared in the metadata and deserve caution.
Guidance: This skill's code largely matches a legitimate SSH-based chat bridge, but it omits important runtime details in metadata. Before installing or running it: - Review and accept that it will attempt to reuse your SSH ControlMaster socket (~/.ssh/sockets/<user>@<host>) and will spawn 'ssh' locally. Ensure you understand which SSH identity and host will be used. - Inspect and be comfortable with files created under your home (it will create ~/.openclaw/workspace with state, logs, translation-queue and results). These persist between runs and may contain chat content. - The bridge will send arbitrary COM commands and messages to the remote host (based on Feishu 'com:' inputs). Only run it if you trust the remote host and the messages the bridge might send. - The translation flow relies on a cooperating 'main agent' to process queue files; without that component translations may be stubbed. Confirm how translations are produced and who/what has access to the queue/results directories. - For safety, run and test in an isolated environment (VM/container) and use a throwaway SSH identity if possible. Verify file permissions for the created directories and clean up files after testing. - If you plan to integrate with Feishu, note the provided code parses Feishu-like commands but does not include a networked Feishu client; any network integration should be audited separately. If you want, I can list the exact files/paths the skill writes and point out the lines that create or call them so you can audit them precisely.

Review Dimensions

Purpose & Capability: noteThe code implements an SSH-based bridge, terminal parsing, and a file-queue translation flow that fit the described SDF COM ↔ Feishu bridging purpose. However, the skill's metadata/requirements declare no config paths or credentials, yet the code requires an existing SSH ControlMaster socket (~/.ssh/sockets/<user>@<host>) and creates/uses ~/.openclaw/workspace directories for state, queues, and logs. These items are expected for an SSH bridge but should have been declared.
Instruction Scope: concernSKILL.md instructs running the Python scripts and even calls a test that triggers an 'ssh -O check' subprocess; it does not disclose that the runtime will create and write state, error logs, translation queue/results in ~/.openclaw/workspace, or that it will spawn an ssh subprocess using your keys/config. The main translation loop expects an external 'main agent' to poll and complete translations via files — SKILL.md mentions this but the mechanism is not prominent. The SKILL.md also instructs editing main.py with usernames which could cause unintended connections if misconfigured.
Install Mechanism: okThere is no install spec (instruction-only); dependencies are a small pinned set (pyte, pyte-screen) listed in requirements.txt. No remote download/install URLs are used. This is lower risk, but note the included code will be executed locally when 'python scripts/main.py' is run.
Credentials: concernThe skill requests no environment variables in metadata, yet the code accesses and creates several paths under the user's home (~/.ssh/sockets for the SSH ControlMaster socket and ~/.openclaw/workspace/.com-bridge, .com-translation-queue, .com-translation-results). It also runs the local 'ssh' binary (via subprocess) and will reuse the user's SSH control socket and keys. These are reasonable for an SSH chat bridge but are not declared and grant the skill access to persistent files and your SSH agent/context.
Persistence & Privilege: noteThe skill creates persistent state and queue files in the user's home (~/.openclaw/workspace) and writes an error log; it does not request always:true nor modify other skills. Persistent files are within its own directory structure, but this persistence (and the fact it will reuse an SSH ControlMaster socket) increases blast radius if misused.