Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Utils
v1.3.1通用错误处理库。为所有技能提供统一的错误处理、告警过滤、日志记录。支持 GraphQL 警告过滤、Python 安全调用、API 重试、Git 安全操作。
⭐ 0· 116·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the provided code: a Bash error-handling/logging library with safe wrappers for commands, Python, curl, git and gh. Minor inconsistencies exist in metadata (SKILL.md/package.json versions differ; SKILL.md points to one GitHub repo while package.json points to another) and the license text in SKILL.md (MIT) is contradicted by a commercial-fee section — a legal/metadata mismatch, though not indicative of malicious code.
Instruction Scope
SKILL.md and examples instruct the agent to source the shell library and call its functions — that matches the files. However example and test code use absolute, user-specific paths (/home/zhaog/.openclaw..., /root/.openclaw...), which could cause the skill (or tests) to access unexpected locations if blindly copied. The library also invokes external tools (git, gh, curl, python3) which will act with whatever credentials/config are present on the host.
Install Mechanism
There is no install spec and the skill is distributed as shell scripts and examples. No remote downloads or archives are performed by the skill itself — low install risk.
Credentials
The skill declares no required environment variables, which is consistent, but it does read/obey optional env vars (ERROR_HANDLER_LOG, ERROR_HANDLER_DEBUG, ERROR_HANDLER_SHOW_TIP, AUTO_PUSH). More importantly, runtime operations (safe_git_push, safe_gh) will use the host's git/gh configuration and credentials if present — granting the skill the ability to push code or create GitHub comments indirectly. This is proportionate for a git/gh helper but is a privilege the user should be aware of.
Persistence & Privilege
always:false and no attempt to become permanently injected into the agent. The script writes logs and a sentinel file under /tmp (e.g., /tmp/error-handler.log, /tmp/error-handler-tip-shown) which is typical for utilities; it does not modify other skills or system-wide agent settings.
What to consider before installing
This script is mostly what it claims to be — a Bash error-handling utility — but review a few things before installing or sourcing it directly: 1) Metadata and license inconsistencies: SKILL.md, package.json and the repository URLs don't fully match and the SKILL.md includes commercial-fee text that conflicts with the MIT label. Clarify licensing if that matters to you. 2) Examples/tests contain absolute, user-specific paths (/home/zhaog..., /root/.openclaw...) — don't blindly copy those; point sourcing at the intended path in your environment. 3) The library will call git and gh when asked; those calls will use whichever GitHub/Git credentials/config exist on the host and can push or post comments. If you run this under an agent that has repository or GH access, it could perform pushes/comments — consider running with AUTO_PUSH unset (it prompts) or in a sandbox. 4) handle_error and the safe_* wrappers intentionally swallow errors (return success after fallback) which can mask failures; ensure your workflow handles that. 5) Because it runs arbitrary commands passed as strings, only call its wrappers with trusted inputs. If you need higher assurance, review the script contents locally and test in an isolated environment before granting it access to live repositories or credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk975pzmqfd8hz5gy3px1ymzgw98395hh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.