Skip to main content
Scans/clawhub/openclaw-connect-node

openclaw-connect-node

clawhub

Share

Summary

openclaw-connect-node v1.0.10 was classified as CRITICAL RISK with a risk score of 270. Sigil detected 25 findings across 30 files, covering phases including install hooks, network exfiltration. Review the findings below before installing this package.

CRITICAL RISK(270)

v1.0.10

14 June 2026, 05:04 UTC

by Sigil Bot

Risk Score

270

Findings

25

Files Scanned

30

Provenance

Registry

https://clawhub.com/skills/openclaw-connect-node

Scanned From

https://clawhub.ai/api/v1/download?slug=openclaw-connect-node&version=1.0.10

Findings by Phase

Phase Ordering

Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

install-node.sh:21

#   方式三 (远程 curl):
#     curl -sSL https://your-hub/install-node.sh | bash -s -- \
#       --hub-url http://YOUR_HUB_IP:3100 \
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

install-node.sh:140

    info "正在安装 Node.js 22 LTS..."
    curl -fsSL https://deb.nodesource.com/setup_22.x | bash - 2>/dev/null
    apt-get install -y nodejs 2>/dev/null || {
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

install-node.sh:143

      # Try yum for RHEL-based
      curl -fsSL https://rpm.nodesource.com/setup_22.x | bash - 2>/dev/null
      yum install -y nodejs 2>/dev/null || error "Node.js 安装失败,请手动安装 Node.js >= 18"
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

install-node.sh:151

  if command -v apt-get &>/dev/null; then
    curl -fsSL https://deb.nodesource.com/setup_22.x | bash - 2>/dev/null
    apt-get install -y nodejs 2>/dev/null || error "Node.js 安装失败"
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

install-node.sh:154

  elif command -v yum &>/dev/null; then
    curl -fsSL https://rpm.nodesource.com/setup_22.x | bash - 2>/dev/null
    yum install -y nodejs 2>/dev/null || error "Node.js 安装失败"
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

Badge

Sigil scan badge for clawhub/openclaw-connect-node

Markdown

[![Sigil Scan](https://sigilsec.ai/badge/clawhub/openclaw-connect-node)](https://sigilsec.ai/scans/46ED4BA6-7F97-4005-90B2-C9FAC058DFD0)

HTML

<a href="https://sigilsec.ai/scans/46ED4BA6-7F97-4005-90B2-C9FAC058DFD0"><img src="https://sigilsec.ai/badge/clawhub/openclaw-connect-node" alt="Sigil Scan"></a>

Run This Scan Yourself

Scan your own packages

Run Sigil locally to audit any package before it touches your codebase.

curl -sSL https://sigilsec.ai/install.sh | sh
Read the docs →Free. Apache 2.0.

Sigil Pro

Cloud scanning, AI investigation, web dashboard, and CI/CD integration. 14-day free trial.

Start free trial →

Get threat intelligence and product updates

Security research, new threat signatures, and product updates. No spam.

Other clawhub scans

teamapp-admin

v1.0.0

LOW RISK0

prose-andy27725

v1.0.0

LOW RISK0

vpn-setup

v1.0.1

LOW RISK0

boc-deploy

v1.0.1

LOW RISK0

save-mysql

v1.0.1

LOW RISK0

Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.

Scanned bySigil Bot
← Back to Scan Database