Find Skills - 查找技能 Security Report — Low Risk | ClawSafe

20 /100

Find Skills - 查找技能

用 find_skills.py 在 ClawHub 搜索或列举已装技能，支持 JSON 输出

A legitimate skill discovery tool for ClawHub that uses subprocess to call the clawhub CLI and reads filesystem paths. The install command defaults to dry-run, providing good safety defaults.

Skill NameFind Skills - 查找技能

Duration35.1s

Enginepi

✓

Safe to install

The skill is safe for use. Consider declaring shell:WRITE capability explicitly in SKILL.md if the subprocess behavior is considered shell execution.

Findings 3 items

Severity	Finding	Location
Low	subprocess usage not formally declared The code invokes clawhub CLI via subprocess.run() but SKILL.md does not list shell:WRITE in allowed-tools mapping. This is consistent with documented entry points and CLI examples but lacks formal declaration. `p = subprocess.run([exe] + args, capture_output=True, text=True, encoding="utf-8", errors="replace", timeout=timeout, shell=False)` → Add shell:WRITE to declared capabilities if subprocess invocations are considered shell access.	`find_skills.py:153`
Low	Install defaults to dry-run The install command requires --execute flag to actually write files. This is a good safety default that prevents accidental installation. `if not execute: payload = {..., "dry_run": True}` → This is a positive security feature.	`find_skills.py:525`
Info	No external dependencies Uses only Python standard library (json, os, re, shutil, subprocess, urllib, pathlib). No pip install required. `import json, os, re, shutil, subprocess, sys, urllib...` → No action needed - standard library usage is secure.	`find_skills.py:1`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	find_skills.py:176 - Path.home() / ".openclaw/workspace/skills"
Network	`READ`	`READ`	✓ Aligned	find_skills.py:285-301 - urllib GET to clawhub.ai/api/v1/skills/
Shell	`NONE`	`WRITE`	✓ Aligned	find_skills.py:153-165 - subprocess.run([exe] + args)

6 findings

🔗

Medium External URL 外部 URL

https://www.jisuapi.com/

SKILL.md:77

🔗

Medium External URL 外部 URL

https://clawhub.ai/org/skill

find_skills.py:23

🔗

Medium External URL 外部 URL

https://clawhub\.ai/([A-Za-z0-9_.-

find_skills.py:25

🔗

Medium External URL 外部 URL

https://clawhub.ai/api/v1/skills/

find_skills.py:37

🔗

Medium External URL 外部 URL

https://clawhub.ai/%s

find_skills.py:307

🔗

Medium External URL 外部 URL

https://clawhub.ai/

find_skills.py:419

File Tree

2 files · 39.2 KB · 1077 lines

Python 1f · 991L Markdown 1f · 86L

├─ 🐍 find_skills.py Python 991L · 34.1 KB

└─ 📝 SKILL.md Markdown 86L · 5.1 KB

Security Positives

✓ Install command defaults to dry-run mode for safety

✓ No credential harvesting or environment variable exfiltration

✓ No base64-encoded payloads or obfuscated code

✓ No remote script execution (curl|bash, wget|sh)

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ Network requests limited to documented clawhub.ai API endpoints

✓ No eval(), exec(), or dynamic code execution

✓ Uses standard library only - no external dependencies to audit

Scan Report

Findings 3 items

File Tree

Security Positives