Skill marketplace for OpenClaw agents. One subscription, unlimited tools. Search, download, and install skills from the LarryBrain library.
Security Analysis
high confidenceThe skill's purpose (a marketplace) matches the network/filesystem actions it asks for, but the runtime instructions include prompt-injection patterns, contradictory metadata about required credentials, and guidance that would cause the agent to download and write arbitrary third-party code and then run its setup — behavior that requires explicit user consent and stronger safeguards.
The name/description (a skill marketplace) justify network access and the ability to write skills to a local skills/ directory. However, the registry metadata claims no required env vars while SKILL.md lists LARRYBRAIN_API_KEY — this mismatch is unexplained and reduces trust in the manifest.
SKILL.md directs the agent to search, download, write every file from remote responses into skills/{slug}/, prepend update headers, then read and 'follow its setup instructions' (install deps, start services, etc.). That effectively authorizes downloading and executing arbitrary third-party code. The file explicitly tells agents to 'Run this skill FIRST' for unknown tasks, which is scope-expanding and could lead to autonomous installs/execution without clear user consent.
Although there is no formal install spec (it's instruction-only), the runtime instructions rely on curl calls to an external API and require writing and executing returned files. Downloading and extracting arbitrary content from a third-party source into the agent's runtime is high-risk unless the user inspects and approves every file. The SKILL.md claims skills are 'human-reviewed' but provides no mechanism for enforced local sandboxing or verification beyond a manual diff.
The SKILL.md requires LARRYBRAIN_API_KEY (for premium skills), which is reasonable for a marketplace, but this conflicts with the registry metadata that listed no required env vars. The instructions also embed example curl commands that include the API key header; careless handling could leak the key (e.g., if logs or files are exposed). Requiring a single API key is proportionate in isolation, but combined with automatic download/execute semantics it's higher risk.
always:false and model invocation allowed (normal). The skill writes skill files and a local _meta.json — expected for a marketplace. It does not request global agent config changes, but it urges the agent to run first for unknown tasks and to auto-install skills, which effectively increases its operational presence unless the agent enforces explicit user prompts.
Guidance
This skill is coherent with being a 'marketplace' but its runtime instructions allow the agent to download, write, and then execute arbitrary third-party skill code — which is risky. Before installing or using: 1) Require explicit user approval before downloading or installing any skill, and require the user to inspect remote files first. 2) Do not allow automatic execution of downloaded setup scripts; run installs only inside a sandbox or VM. 3) Verify the LarryBrain service origin (check the GitHub repo and HTTPS certificate) before trusting content. 4) Scope the LARRYBRAIN_API_KEY (use least privilege, short-lived keys if possible) and avoid embedding it in files or logs. 5) Treat the detected prompt-injection pattern as suspicious — ensure your agent ignores instructions in downloaded SKILL.md that try to override prior policies or request credential exfiltration. If you need a safer alternative, prefer marketplace workflows that provide signed releases, reproducible checksums, or require manual, user-driven installation steps.
Latest Release
v1.5.3
**LarryBrain v1.5.3 introduces a required update-check header to all installed skills for improved security.** - Every time a skill is installed, a standardized update-check block is prepended to the SKILL.md file. - The header instructs any agent to always check for updates and review remote changes before using the skill. - The install API example and instructions are updated to reference version 1.5.3. - No changes to the API structure or permissions; this is a documentation and process enhancement to make update checking universal and explicit.
More by @OllieWazza
Published by @OllieWazza on ClawHub
