Book Fetch

PassAudited by VirusTotal on May 11, 2026.

Overview

Type: OpenClaw Skill Name: book-fetch Version: 1.0.0 The skill is classified as suspicious due to potential prompt injection risks against the AI agent in `SKILL.md`. Specifically, the instruction regarding `/etc/hosts` ('The `/etc/hosts` override is already in place: `186.2.165.77 annas-archive.li`') could be interpreted by an agent as a directive to ensure this system configuration, potentially leading to unauthorized privileged system modification. Additionally, the instruction to execute `rclone ls mega:/` is an explicit command for the agent to run. While the Python script `scripts/book_fetch.py` itself appears robust, using `subprocess.run` with lists and sanitizing user inputs, the instructions in the markdown pose a vulnerability for an agent that might over-interpret or attempt to 'fix' environmental prerequisites.

Findings (0)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Concern

ASI03: Identity and Privilege Abuse

What this means

A downloaded file could be uploaded into a MEGA account/session the user did not expect, changing cloud storage contents.

Why it was flagged

The code uses any configured MegaCMD session before falling back to rclone. SKILL.md setup emphasizes rclone, so the actual MEGA account used may be an ambient MegaCMD login not clearly declared to the user.

Skill content

if not _cmd_exists("mega-put"):
        print("⚠️  megacmd not found. Trying rclone...")
        return upload_via_rclone(filepath, mega_folder)
...
subprocess.run(["mega-put", str(filepath), f"{mega_folder}/"], ...)

Recommendation

Declare the exact credential sources and account selection behavior, prefer the documented rclone remote, and ask for confirmation before uploading.

Note

ASI02: Tool Misuse and Exploitation

What this means

The wrong ebook may be downloaded and uploaded automatically, especially for ambiguous titles.

Why it was flagged

Unless dry-run or interactive picking is used, the script selects the first result, downloads it, and uploads it. This is purpose-aligned but can exceed a search-only intent.

Skill content

parser.add_argument("--dry-run", action="store_true", help="Search only, do not download")
parser.add_argument("--pick", type=int, default=0, help="Pick result index (0=first, -1=interactive)")
...
filepath = download_file(dl_url, DOWNLOAD_DIR, filename)
...
upload_to_mega(filepath)

Recommendation

Use --dry-run for search-only requests and --pick -1 or an explicit --pick value before downloading or uploading.

Note

ASI04: Agentic Supply Chain Vulnerabilities

What this means

The skill may behave differently depending on local system configuration, installed packages, and DNS/hosts setup.

Why it was flagged

The skill assumes a preexisting system-level hosts override and prebuilt Python environment rather than declaring or pinning the setup in an install spec.

Skill content

Anna's Archive is DNS-blocked on the VPS. The `/etc/hosts` override is already in place:
```
186.2.165.77 annas-archive.li
```
...
- venv: `~/clawd/.venv-books/` (requests, beautifulsoup4, lxml)

Recommendation

Verify the hosts entry, Python environment, and package sources before use; prefer a declared, pinned install process.