Classify every shell command as SAFE, WARN, or CRIT before your agent runs it.
Security Analysis
high confidenceThe skill claims to be an instruction-only LLM classifier with no file or network effects, but the package contains scripts that patch and rebuild an OpenClaw installation—this mismatch and the ability to modify other software is concerning.
The README/description repeatedly states 'no binaries, no network calls, no credentials' and 'All logic runs within the existing LLM context.' However, the bundle includes scripts that edit an OpenClaw TypeScript source file, insert runtime hook code, rebuild the project, and suggest restarting a system service. These capabilities (modifying source, rebuilding, restarting services) are not reflected in the declared purpose and are disproportionate to a simple 'classify commands' skill.
SKILL.md does not instruct the agent to modify local source or run the provided scripts, and it claims classification happens entirely in-LMM. In contrast, the repository contains explicit patch/unpatch scripts that will write to arbitrary files under OPENCLAW_DIR, change source code, and rebuild/restart OpenClaw. That is scope creep: the artifact tells humans to run operations the description denies.
There is no automated install spec (lowest install risk). The risk here is manual: the included shell scripts, if executed, will modify files on disk. No external downloads or URL-based installers are used, which lowers third-party code fetch risk, but local patch-and-build behavior still poses operational risk to the host.
The package declares no required environment variables or credentials, but the patch scripts implicitly depend on an OPENCLAW_DIR environment variable (with a default path) and expect access to the OpenClaw source tree, pnpm/npm, and systemctl. Those are not declared and grant the script high local access. Rebuilding and restarting services implies elevated privileges and access to system service control that the skill description does not justify.
The patch script edits a different project's source file (pi-tool-definition-adapter.ts) and injects code that affects how tools are executed; it therefore modifies other code and runtime behavior outside the skill's own files. This is a significant privilege (persistent change to another component) even though 'always' is false. The skill can alter the agent/runtime behavior if the owner runs the patch, so exercise caution.
Guidance
This skill's description says it runs purely in the LLM context and does not touch files, but the package includes patch/unpatch scripts that will modify OpenClaw source, rebuild it, and restart a gateway service. Do NOT run these scripts on a production machine you care about. Before using/installing: 1) Verify you actually want OpenClaw patched and that you control the target source tree; 2) Inspect getGlobalHookRunner and any hook-runner-global.js implementation to ensure it does not exfiltrate data or call external endpoints; 3) Back up the target file (the script already creates a backup, but keep your own copy or use version control); 4) Test in a disposable VM/container or development clone of OpenClaw; 5) Prefer performing the integration manually (apply the patch with code review) rather than running the provided sed script blindly; 6) Ask the publisher to explain why the SKILL.md claims 'no file I/O' when patch scripts are included, and request signed or reviewed code if you plan to trust it. If you are not comfortable with local source modification and service restarts, treat this skill as unsafe to install.
Latest Release
v2.2.1
Added notes.security transparency block
More by @globalcaos
Published by @globalcaos on ClawHub
