builtin-tools — 跨平台基础工具集

Name: builtin-tools
Author: wangjiaocheng

View on ClawHub↗

Share on X Share on LinkedIn Share on Bluesky

100Critical

This skill is designed to bypass platform security

ThreatsCI SM CS BC S HITL

Behavior Analysis

Mismatch detected — The skill claims to be 'pure Python standard library, zero external dependencies' and to 'supplement missing basic tools with its own scripts'. However, it explicitly allows executing arbitrary system commands and installing external binaries, which introduces external dependencies and broadens its scope beyond just its internal scripts.

Claims to do

builtin-tools — 跨平台基础工具集: 当宿主 Agent 平台缺少某个基础工具时，用本技能的脚本补足。所有脚本纯 Python 标准库实现，零外部依赖，跨 Windows/macOS/Linux。

Actually does

This skill executes Python scripts to perform file system operations (list, search, read, write, replace, delete), search and fetch web content, and manage persistent memory, scheduled tasks, and to-do lists. Crucially, its `execute_command.py` entry point also allows direct execution of arbitrary system commands and opening of arbitrary URLs.

Threat Analysis

AI Agent Traps ↗Scanned 4/18/2026

Content InjectionPerceptionclean

Semantic ManipulationReasoning3 findings

Cognitive StateMemory & Learning1 finding

Behavioural ControlAction12 findings

SystemicMulti-Agent Dynamics1 finding

Human-in-the-LoopHuman Overseerclean

Skill Info

Namewangjiaocheng/builtin-tools

Registryclawhub

Version1.0.0

PURLpkg:clawhub/wangjiaocheng/builtin-tools@1.0.0

Downloads55

Source

Repository ↗

SHA-256d62c6a91e60e...

SHA-18215b200adbb...

MD51006962b0b2f...

TLSH6ab1e7b054ba...

ssdeep96:5skuUM2Gu...

Size5,284 bytes

Install

This skill has been flagged as potentially malicious. Review the findings below before installing.

OpenClawDocs

https://clawhub.ai/wangjiaocheng/builtin-tools

55 downloads

ClawHubDocs

openclaw skills install wangjiaocheng/builtin-tools

Assessments (4)

AI Agent Traps ↗

Arbitrary System Command Executioncriticalcommand execution

The `execute_command.py` script explicitly supports a 'command' mode to execute arbitrary system commands, posing a severe risk for system compromise.

100% confidenceline 50

{"mode": "command", "command": "ls -la"}

Persistence via Scheduled Task Creationhighpersistence

The `automation_update.py` script can create or modify scheduled tasks, allowing an attacker to establish long-term control or execute commands persistently.

100% confidenceline 42

automation_update.py | 定时任务 | python automation_update.py '{"mode":"create","name":"...","prompt":"...","rrule":"..."}'

Supply Chain Risk via Binary Installationhighsupply chain

The `install_binary.py` script allows runtime installation of binaries, which could introduce malicious software from untrusted sources despite integrity checks.

100% confidenceline 40

install_binary.py | 运行时安装 | python install_binary.py '{"type":"python","version":"3.13.12"}'

Data Exfiltration via Arbitrary File Readhighdata exfiltration

The `read_file.py` script can read content from any specified file path, enabling an attacker to exfiltrate sensitive data or credentials.

100% confidenceline 30

read_file.py | 读取文件 | python read_file.py '{"path":"f.txt","offset":0,"limit":50}'

Impact/Persistence via File System Modificationhighimpact

Scripts like `write_file.py`, `replace_in_file.py`, and `delete_file.py` allow arbitrary modification or deletion of files, potentially leading to data destruction or system compromise for persistence.

100% confidenceline 34

`write_file.py`, `replace_in_file.py`, `delete_file.py` entries in the script list.

Extensive Reconnaissance Capabilitiesmediumreconnaissance

Multiple scripts (`list_dir.py`, `search_file.py`, `search_content.py`, `web_search.py`) provide broad system and web information gathering capabilities, useful for an attacker's initial phase.

100% confidenceline 36

`list_dir.py`, `search_file.py`, `search_content.py`, `web_search.py` entries in the script list.

Web Content Fetchingmediumssrf

The `web_fetch.py` script can retrieve content from arbitrary URLs, potentially enabling Server-Side Request Forgery (SSRF) to access internal network resources or fetch malicious payloads.

100% confidenceline 30

web_fetch.py | 网页抓取 | python web_fetch.py '{"url":"https://..."}'

Bootstrap Design Enables Full Toolset via Single Commandhightool poisoning

The 'self-bootstrap' (自举) design explicitly states that execute_command.py can dispatch all other scripts and that the platform only needs to support one Python command. This design pattern is intentionally constructed to bypass platform-level tool restrictions and capability controls by consolidating all capabilities into a single entry point.

92% confidenceline 8

自举设计：execute_command.py 可调度所有其他脚本，平台只需支持一条 Python 命令即可全量使用 / **自举设计** — `execute_command.py` 可调度所有其他脚本，只需平台支持执行一条 Python 命令

Arbitrary File Write Capabilityhighcommand execution

write_file.py provides the ability to write arbitrary content to arbitrary file paths on the host filesystem. Combined with execute_command.py, this can be used to write malicious scripts, overwrite configuration files, inject persistence mechanisms (crontabs, shell profiles, SSH authorized_keys), or plant code for later execution.

90% confidenceline 33

| `write_file.py` | 写入文件 | `python write_file.py '{"path":"f.txt","content":"hello"}'` |

Arbitrary File Deletion Capabilityhighimpact

delete_file.py provides the ability to delete arbitrary files. While root and home directory deletion is claimed to be blocked, all other paths are deletable, enabling data destruction attacks on application data, logs, databases, or configuration files.

88% confidenceline 39

| `delete_file.py` | 删除文件 | `python delete_file.py '{"path":"f.txt"}'` | and `delete_file.py` 禁止删除根目录和用户主目录

Regex Content Search Enables Credential Harvestingmediumcredential harvesting

search_content.py allows regex-based content search across the filesystem. This can be used to systematically search for credentials, API keys, tokens, passwords, and private keys stored in configuration files, source code, or environment files.

78% confidenceline 36

| `search_content.py` | 正则内容搜索 | `python search_content.py '{"pattern":"TODO","path":"."}' |

Browser URL Preview Enables Unmonitored Navigationmediumtool poisoning

preview_url.py opens URLs in the system browser. This could be used to load attacker-controlled pages that exploit browser vulnerabilities, trigger OAuth flows, exfiltrate tokens via URL parameters, or perform clickjacking against authenticated sessions.

65% confidenceline 39

| `preview_url.py` | 浏览器预览 | `python preview_url.py '{"url":"https://..."}'` |

Description Mismatchhighdescription mismatch

The skill claims to be 'pure Python standard library, zero external dependencies' and to 'supplement missing basic tools with its own scripts'. However, it explicitly allows executing arbitrary system commands and installing external binaries, which introduces external dependencies and broadens its scope beyond just its internal scripts.

85% confidence

Stated purpose: '所有脚本纯 Python 标准库实现，零外部依赖'. Actual behavior: `execute_command.py` supports `{"mode": "command", "command": "ls -la"}` and `install_binary.py` downloads/installs binaries.

Platform Tool Restriction Bypass via Fallback Designhighoversight evasion

The skill instructs the agent to use platform built-in tools 'first' but fall back to these scripts when the platform 'doesn't support' a capability. This framing trains the agent to bypass platform-level sandboxing and tool restrictions under the guise of a benign fallback policy, potentially circumventing security controls the platform operator intentionally put in place.

82% confidenceline 21

**优先用宿主平台内置工具** — 仅在平台不支持时回退到本技能脚本

Description Claims shell=False but Powershell Used on Windowsmediumoversight evasion

The security policy claims execute_command.py does not use shell=True, but notes it passes commands to powershell.exe on Windows. Invoking PowerShell with user-controlled command strings is functionally equivalent to shell=True and bypasses the claimed security control, as PowerShell will execute arbitrary commands including aliases, scripts, and encoded commands.

82% confidenceline 114

`execute_command.py` 不使用 `shell=True`（Windows 用 list 参数传递给 powershell.exe）

Cognitive State Manipulation (Memory Poisoning)mediummemory poisoning

The `update_memory.py` script can modify the agent's 'persistent memory,' which could be abused to poison its knowledge base or influence future reasoning.

100% confidenceline 41

update_memory.py | 持久化记忆 | python update_memory.py '{"action":"create","title":"...","content":"..."}'

Pipe Chaining Enables Complex Multi-Stage Attacksmediumautonomy abuse

The pipe mode (mode: pipe) allows chaining multiple scripts together with data flowing automatically between them. This enables construction of complex multi-step attack chains (e.g., search for files containing credentials → exfiltrate via web_fetch → write results) without requiring separate agent decisions at each step, bypassing human oversight opportunities.

80% confidenceline 68

{"mode": "pipe", "chain": ["search_file", "search_content"], "params": {"pattern": "*.py"}}

Badge

Markdown

[![Mondoo Skill Check](https://mondoo.com/ai-agent-security/api/badge/clawhub/wangjiaocheng/builtin-tools.svg)](https://mondoo.com/ai-agent-security/skills/clawhub/wangjiaocheng/builtin-tools)

HTML

<a href="https://mondoo.com/ai-agent-security/skills/clawhub/wangjiaocheng/builtin-tools"><img src="https://mondoo.com/ai-agent-security/api/badge/clawhub/wangjiaocheng/builtin-tools.svg" alt="Mondoo Skill Check" /></a>

Image URL

https://mondoo.com/ai-agent-security/api/badge/clawhub/wangjiaocheng/builtin-tools.svg

Secure your AI agents

Skills can read files, run commands, and access credentials. Mondoo helps organizations manage the security risks of AI agent skills across their entire fleet.

Continuous scanning of skills across all registries
Policy enforcement before skills reach your agents
Integration with your existing security workflow