by 安全扫描
OpenClaw
安全
high confidenceNULL
评估建议
This skill appears to be what it says: a wrapper/documentation for Apktool. Before installing, consider: (1) jadx is listed as a required binary even though it’s optional — you can remove it from requirements if you don't need Java decompilation. (2) The manual install runs sudo + curl/wget/unzip and writes to /opt and /usr/local/bin — review the script and the GitHub release links before running with elevated privileges. (3) Prefer your OS package manager (brew/apt) where possible rather than r...详细分析 ▾
ℹ 用途与能力
The skill's name/description (Apktool reverse-engineering) matches the binaries and instructions. One minor inconsistency: the declared required binaries list includes 'jadx' as mandatory, but the SKILL.md and docs treat jadx as an optional complementary tool (used only if the user wants Java-source decompilation). Making jadx a hard requirement is stricter than needed for the stated purpose.
✓ 指令范围
Runtime instructions are limited to local reverse-engineering tasks (apktool commands, edit files, recompile/sign). They do not instruct reading unrelated system files, exfiltrating data, or posting results to third-party endpoints. Install-related commands (curl/wget) fetch releases from GitHub, which is expected for tool installation.
ℹ 安装机制
Primary install spec uses package managers (brew/apt) which is low risk. The provided manual install script for jadx downloads a zip from a GitHub releases URL and unpacks it into /opt and symlinks into /usr/local/bin — a common pattern but it executes sudo, curl/wget, unzip and writes to system paths. This is moderate risk only because it executes remote-downloaded binaries; the source is a GitHub release (traceable) rather than an unknown personal server.
✓ 凭证需求
No environment variables, credentials, or config paths are requested. The skill does not ask for unrelated secrets or permissions; requested binaries (apktool, java, optionally jadx) are proportionate to its function.
✓ 持久化与权限
The skill does not request always:true, does not claim system-wide persistent privileges, and contains no instructions to modify other skills or global agent configuration. Autonomous invocation is allowed (platform default) but not combined with other concerning privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.22026/2/28
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install apktool
镜像加速npx clawhub@latest install apktool --registry https://cn.longxiaskill.com