Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
config-new-agent
v1.0.2为 OpenClaw 新增的 agent 配置 bindings 并安装必要的 skills。当用户说"添加新 agent"、"配置新 agent binding"、或需要为 agent 分配群组时触发。工作流程:(1) 从 openclaw.json 读取 agent list,(2) 找出没有 binding...
⭐ 0· 94·0 current·0 all-time
byYiwei@ywewanhuang
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md behavior (read/modify /root/.openclaw/openclaw.json, add bindings, restart gateway, and install a set of skills into a per-agent workspace) matches the description of 'configure new agent bindings and install necessary skills.' However the package metadata declares no required binaries or credentials even though the instructions assume command-line tools (openclaw, clawhub) and access to /root/.openclaw. The source is unknown and there is no homepage, reducing provenance.
Instruction Scope
Instructions direct the agent to read and modify a root-owned config file (/root/.openclaw/openclaw.json), write files into per-agent workspaces under /root/.openclaw/, edit SKILL.md files inside installed workspaces, and restart the gateway. Those are privileged, state-changing operations. The skill does require explicit user confirmation before restart (good) but otherwise gives the agent steps that will install additional software and modify system state. There is no code here to audit; everything relies on runtime execution of shell commands and remote installs.
Install Mechanism
This is an instruction-only skill (no install spec), but it instructs running 'clawhub install' for multiple third-party skills. The metadata fails to declare 'clawhub' or 'openclaw' as required binaries, an inconsistency. Installing those skills at runtime means arbitrary remote packages will be fetched and placed under /root/.openclaw/workspace-<agentId>; without a stated install source (registry URL, release host) it's not possible to verify provenance of what will be installed.
Credentials
The skill declares no required environment variables or credentials and the instructions only ask the user for a Feishu group ID (oc_xxx). It does not request unrelated secrets. That said, it requires filesystem and command access to root-owned OpenClaw config and the ability to install packages—privileges that should be explicitly acknowledged by the operator.
Persistence & Privilege
always:false (normal). The skill asks operators to keep the installed self-improving-proactive-agent 'always running' and to add an isolation notice to its SKILL.md; this is an operational requirement rather than platform privilege escalation. Still, the runtime steps grant the skill the ability to perform persistent changes (install skills, edit files, keep processes running), so the operator should be comfortable with that level of persistent system modification.
What to consider before installing
This skill will make privileged changes: it reads and edits /root/.openclaw/openclaw.json, installs third-party skills via 'clawhub', edits SKILL.md files and restarts the OpenClaw gateway. The metadata omits required binaries ('clawhub', 'openclaw') and the skill source is unknown. Before installing or running this skill: (1) require the operator to back up /root/.openclaw/openclaw.json, (2) verify that 'clawhub' and 'openclaw' are the expected, trusted tools on your system, (3) review the SKILL.md or source of each skill it will install (skill-vetter, skill-finder-cn, self-improving-proactive-agent, openclaw-tavily-search) to ensure they are trustworthy, (4) consider testing in an isolated environment, and (5) only allow the gateway restart after manual confirmation. If you can obtain the skill's source or a homepage/registry links for the listed skills, provide those to get a higher-confidence assessment.Like a lobster shell, security has layers — review code before you run it.
latestvk974ckm0me8vfs6nmqfe2qjza584kazq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.