junior-high-math-research-plans
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: junior-high-math-research-plans Version: 1.0.0 The skill is classified as suspicious primarily due to the `package.json` file requesting `"exec"` permission within its `openclaw.permissions` array. While the provided JavaScript files (`skills/教学资源查找.js`, `skills/教学计划生成.js`, `scripts/发布准备.js`) do not contain any code that explicitly utilizes this high-risk capability (e.g., `child_process.exec`), requesting `exec` permission without a clear, demonstrated need in the existing code is a significant security concern. This grants the skill the ability to execute arbitrary commands, posing a potential remote code execution vulnerability if the agent were to be compromised or if future, unreviewed code were added. Other file system operations (read/write) are consistent with the skill's stated purpose of managing teaching resources and generating reports.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the platform honors these permissions, the skill may be granted broader local file and execution capability than the basic lesson-plan/resource lookup use case requires.
The package declares broad read/write/exec permissions, while the shown teaching-resource code does not include shell spawning or network behavior. This is not misuse by itself, but users should notice the broad authority.
"openclaw": { "skill": true, ... "permissions": ["read", "write", "exec"] }Install only if you are comfortable with those local permissions; the maintainer should narrow permissions or clearly document why exec access is needed.
Users have less assurance about the exact dependency version or project source associated with the package.
The dependency is a version range rather than a pinned version, and the repository URL appears to be a placeholder. This weakens provenance clarity but does not show hidden download or execution behavior.
"dependencies": { "openclaw": ">=1.0.0" } ... "url": "https://github.com/example/junior-high-math-research-plans"Verify the publisher/source before installing; the maintainer should pin dependencies and provide a real repository or homepage.
Some advertised exercise-generation, progress-analysis, or template-filling features may not work as described.
The documentation references helper files/features that are not present in the provided manifest/source. This looks like a packaging or documentation mismatch, not hidden behavior.
├── 练习题制作.js # 题目生成功能 ... └── 教学进度分析.js # 进度分析功能 ... └── 模板填充.js
Confirm the needed files are included before relying on those features; the maintainer should either add the files or update the documentation.