ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Environment Doc Author

v1.0.0

Verify real local environment facts before an agent uses machine-specific commands, runtimes, compilers, services, or startup scripts, then create or refresh...

1· 103·0 current·0 all-time
by@zshtolors
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match included artifacts: two detector implementations (Node and Python) and two renderers. The scripts probe PATH, common tool executables, env vars, and system service checks — all expected for generating an environment baseline.
Instruction Scope
SKILL.md explicitly limits scope (read baseline first, verify facts, never install/modify without explicit approval). Runtime instructions and included scripts probe executables, env vars, PATH entries, and optionally services/ports — which is coherent with the stated goal. The skill will read local files (baselines, probe files, shell profiles) and write JSON/markdown outputs as intended.
Install Mechanism
No install spec (instruction-only install). Scripts are included and run locally via Python or Node; no external downloads or package installs are performed by the skill itself.
Credentials
The skill does not request credentials or configuration paths. It does read many environment variables (JAVA_HOME, PATH markers, etc.) and runs local commands to discover versions — this is proportionate and necessary for its purpose.
Persistence & Privilege
Skill is not always-enabled and uses normal autonomous invocation. It writes/updates environment-baseline.json and rendered docs in the repository (documented behavior). It does not request system-wide privileges or attempt to modify other skills' configs.
Assessment
This skill will run local commands, inspect environment variables, examine PATH entries, and write files such as environment-baseline.json, ENVIRONMENT_POLICY.md, and AGENTS.environment.md. That behavior is expected and documented. Before running: (1) review the included scripts if you want to confirm exact commands executed; (2) back up any existing AGENTS.md or environment-baseline.json if you care about preserving them; (3) run the detector with explicit, limited probe arguments when you only need to verify a small set of tools; (4) do not run the scripts with elevated privileges if you do not trust them. The SKILL.md forbids installing/upgrading software without explicit approval — if you see behavior that changes the environment automatically, stop and review. If you want extra assurance, run the scripts in a controlled environment or container first.
scripts/detect_environment.js:427
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk978r8dwqdw5ewhf5gaes7zmw1833760

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments