[Appeal] terminal-killer False Positive — Request to Remove VirusTotal Warning

[cosperypf]

Skill Information

Field	Value
Skill Name	terminal-killer
Slug	terminal-killer
Version	1.2.0
Author	Cosper (@cosperypf)
Email	cosperypf@163.com
Skill URL	https://clawhub.ai/skills/terminal-killer

---

Issue Description

The terminal-killer skill is flagged with a ⚠️ "suspicious" warning by VirusTotal Code Insight
when users try to install it.

This is a false positive. The detected patterns (execSync, shell config access, etc.) are
intentional core functionality, not malicious behavior.

---

What Does This Skill Do?

terminal-killer is a smart command router for OpenClaw agents:

1. Detects if user input is a shell command (e.g., ls -la, git status, adb devices)
2. Executes commands directly via execSync (bypassing LLM for speed)
3. Passes to LLM if input is a natural language request (e.g., "help me write code")

---

Why VirusTotal Flags It (and Why It's Safe)

| Detected Pattern | Why It's Flagged | Actual Purpose |
|-----------------|------------- -----|----------------|
| execSync / child_process | Can execute arbitrary code | Core functionality — executes user
commands |
| Reading ~/.zshrc, ~/.bashrc | Config file access | Load user's PATH and environment variables |
| Reading shell history | Privacy concern | Improve command detection accuracy |
| process.env access | Environment manipulation | Inherit user's shell environment |
| spawn for interactive shells | Process creation | Handle ssh, adb shell, docker exec -it |

---

Security Verification

✅ No Malicious Patterns

• ❌ No hard-coded API keys or secrets
• ❌ No external network calls (no fetch, axios, http modules)
• ❌ No data exfiltration (no sending data to external servers)
• ❌ No code obfuscation (all plain JavaScript)
• ❌ No persistence mechanisms (no startup scripts, registry edits)
• ❌ No privilege escalation (runs as current user only)

✅ Security Measures Implemented

1. Dangerous Command Detection — Prompts for confirmation on rm -rf, sudo, dd, etc.
2. 30-Second Timeout — Prevents hangs
3. Environment Isolation — Runs in user's shell context, no system-wide modifications
4. Full Transparency — All source code public, author identity disclosed

---

Code Statistics

File	Purpose	Lines
scripts/index.js	Main entry point	~180
scripts/detect-command.js	Command detection logic	~350
scripts/exec-command.js	Command execution	~80
scripts/interactive.js	Interactive shell handling	~150
clawhub.json	Skill metadata (includes securityNote)	~40
README.md	Documentation with security notice	~300

Total: ~1,100 lines of plain, readable JavaScript

---

Request

I respectfully request ClawHub to:

1. Whitelist this skill from automatic VirusTotal warnings, OR
2. Mark my account (@cosperypf) as a trusted developer for future publications, OR
3. Add a visible note on the skill page explaining this is a known false positive

---

How to Verify

# Install the skill
clawhub install terminal-killer --force

# Review source code
cd ~/.openclaw/workspace/skills/terminal-killer
cat scripts/*.js

# Run tests
node scripts/test-detector.js

# Test execution
node scripts/index.js "ls -la"
node scripts/index.js "help me write code"


Contact
- Author: Cosper
- Email: cosperypf@163.com
- ClawHub Account: cosperypf (ID: kn7exrggk246859ahw29g0mk89820076 )


Thank you for reviewing this appeal! 🙏

Date: 2026-03-02

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. ClawHub cleanup policy keeps issues open in this lane, and the substantive appeal is still unresolved: production still reports terminal-killer v1.2.0 as suspicious while current main provides generic appeal, rescan, scanner calibration, and audited manual-override tooling rather than a reviewed clearance for this exact artifact or publisher.

Required change / next step:

The remaining action is staff security/moderation review of a live artifact and publisher account; no narrow source-only fix can decide that this specific skill or account should be trusted.

Security review:

Security review needs attention: This issue is a security-sensitive moderation appeal for a live artifact that intentionally runs local shell commands and remains suspicious in production.

Review details

Best possible solution:

ClawHub staff or moderators should review the exact terminal-killer v1.2.0 artifact, scanner evidence, and publisher history. If they confirm a false positive, they should apply the existing audited manual clean override with a review note; any trusted-publisher decision should go through marketplace/admin policy, while broader appeal-link UX remains tracked by #371.

Security concerns:

• [high] Review before trusting local command execution
  The appealed skill intentionally executes arbitrary local shell commands, sources shell configuration, and reads shell history, while the live scan still reports suspicious VirusTotal and LLM verdicts. A manual clearance should require staff review of the exact artifact and scanner evidence.
  Confidence: 0.94
• [medium] Treat publisher trust as account policy
  Marking the publisher trusted would affect future publications beyond this single version, so it should be handled as a marketplace/admin policy decision rather than an automated source-only cleanup.
  Confidence: 0.88

Acceptance criteria:

• Re-check https://clawhub.ai/api/v1/skills/terminal-killer for version, owner, and moderation verdict.
• Re-check https://clawhub.ai/api/v1/skills/terminal-killer/scan for SHA-256, scanner verdicts, checkedAt, and requested-version match.
• Re-check https://clawhub.ai/api/v1/skills/terminal-killer/moderation for reason codes, engine version, and any manual override state.
• Review the exact terminal-killer v1.2.0 source artifact before applying a manual override or publisher trust change.

What I checked:

• Issue request: The issue asks for a per-skill whitelist, trusted-publisher status, or a visible false-positive note for terminal-killer v1.2.0.
• Live skill remains flagged: The public skill API returns latest version 1.2.0, owner handle cosperypf, moderation.isSuspicious: true, verdict suspicious, and reason codes suspicious.llm_suspicious plus suspicious.vt_suspicious.
• Live scan remains suspicious: The public scan endpoint reports version 1.2.0, moderation.matchesRequestedVersion: true, security.status: suspicious, SHA-256 241c18abd90965ab3401ed10c0ffb162a12d48870b380b8057fe9ab0f8cc42c1, and suspicious VirusTotal plus LLM scanner results.
• Live moderation remains suspicious: The public moderation endpoint returns verdict suspicious, reason codes suspicious.llm_suspicious and suspicious.vt_suspicious, engine version v2.4.2, and no public manual-cleared state.
• No target-specific clearance in main: Exact source search found no checked-in reference to the appealed slug, publisher handle, reported account id, or live artifact hash, so current main does not contain a per-skill whitelist, trusted-publisher grant, false-positive note, or appeal record for this item. (7bef2a0b65d4)
• Generic appeal banner exists: Suspicious skill pages show a generic warning and, for managers, link to GitHub issues for incorrect flags; this supports appeals but does not resolve this specific artifact. (src/components/SkillHeader.tsx:124, 7bef2a0b65d4)

Likely related people:

• Patrick-Erichsen: Current blame and feature history point to Patrick Erichsen for the suspicious-skill banner, owner/admin rescan path, and manual override surfaces used to process this kind of appeal. (role: recent maintainer and moderation/rescan surface owner; confidence: high; commits: ecf09b868a98, ef2846b2e4c7, e6c3d6ff28b1; files: src/components/SkillHeader.tsx, src/components/SkillDetailPage.tsx, src/components/DetailSecuritySummary.tsx)
• deepujain: Deepak Jain authored the current-main moderation calibration for VirusTotal Code Insight suspicious signals, which is directly relevant to false-positive appeal handling. (role: VirusTotal Code Insight calibration contributor; confidence: medium; commits: d855d09ab070; files: convex/lib/moderationEngine.ts, convex/lib/moderationEngine.test.ts, convex/skills.ts)
• steipete: Peter Steinberger authored adjacent cleanup for uncorroborated VirusTotal suspicious state and appears in nearby manual-override/moderation history. (role: adjacent scanner moderation maintainer; confidence: medium; commits: 232e429dee6f, 8752e4bb7e92; files: convex/skills.ts, convex/skills.manualOverrides.test.ts, convex/skills.rateLimit.test.ts)

Remaining risk / open question:

• Clearing this appeal automatically would be security-sensitive because the published skill intentionally executes arbitrary local shell commands, sources shell configuration, reads shell history, and live scanners still report suspicious findings.
• Trusted-publisher status would affect future publications beyond this one artifact, so it is an account/admin policy decision rather than a narrow repository cleanup.
• Production moderation state can change independently of source, so staff should re-check the live scan and moderation endpoints immediately before acting.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7bef2a0b65d4.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. ClawHub cleanup policy keeps issues open, and the substance remains unresolved: production still reports terminal-killer v1.2.0 as suspicious while current main provides generic appeal, rescan, moderation endpoint, and audited manual-override tooling rather than a skill- or publisher-specific clearance.

Required change / next step:

This needs staff security/moderation review against the live artifact and publisher history; it is not a safe automated fix-PR because no source-only change can decide that the specific skill or account should be trusted.

Best possible solution:

ClawHub staff or moderators should review the exact terminal-killer v1.2.0 artifact, scanner evidence, and publisher history. If they confirm a false positive, they should use the existing audited manual clean override with a review note; any trusted-publisher decision should go through marketplace/admin policy, while the broader appeal-link UX remains tracked by #371.

Acceptance criteria:

• curl -fsSL -A 'Mozilla/5.0 ClawSweeper review' 'https://clawhub.ai/api/v1/skills/terminal-killer/scan'
• curl -fsSL -A 'Mozilla/5.0 ClawSweeper review' 'https://clawhub.ai/api/v1/skills/terminal-killer/moderation'

What I checked:

• Live scan still suspicious: The public scan endpoint returns terminal-killer version 1.2.0 with moderation.matchesRequestedVersion: true, moderation.isSuspicious: true, security.status: suspicious, SHA-256 241c18abd90965ab3401ed10c0ffb162a12d48870b380b8057fe9ab0f8cc42c1, and suspicious VirusTotal plus ClawScan verdicts.
• Live moderation still suspicious: The public moderation endpoint returns verdict: suspicious, reason codes suspicious.llm_suspicious and suspicious.vt_suspicious, engine version v2.4.2, and no manual-cleared state.
• No target-specific clearance in main: Exact search found no checked-in reference to the skill slug, publisher handle, reported account id, or live artifact hash, so current main does not contain a target-specific whitelist, trusted-publisher grant, false-positive note, or appeal record. (7bef2a0b65d4)
• Generic appeal banner exists: Suspicious skill pages show a warning and, for managers, link to GitHub issues for incorrect flags; this supports appeals but does not resolve this specific appeal. (src/components/SkillHeader.tsx:124, 7bef2a0b65d4)
• Owner/admin rescan path exists: Current main lets owners/admins view rescan state and request a fresh scan, then dispatches static, VirusTotal, and LLM scans for the latest version. (convex/skills.ts:4166, 7bef2a0b65d4)
• Manual clean override exists: Moderators can apply an audited clean manual override for suspicious skills, preserving scan metadata and clearing public suspicious state when staff has reviewed the artifact. (convex/skills.ts:5540, 7bef2a0b65d4)

Likely related people:

• Patrick-Erichsen: Current blame and feature history point to Patrick Erichsen for the suspicious-skill banner, owner rescan UI/backend, manual override surfaces, and recent ClawHub security workflow work used to process appeals like this. (role: recent maintainer and moderation/rescan surface owner; confidence: high; commits: ecf09b868a98, ef2846b2e4c7, e6c3d6ff28b1; files: src/components/SkillHeader.tsx, src/components/SkillDetailPage.tsx, src/components/DetailSecuritySummary.tsx)
• deepujain: Deepak Jain authored the current-main moderation calibration for VirusTotal Code Insight suspicious signals, and the changelog credits @deepujain for the false-positive calibration work. (role: VirusTotal Code Insight calibration contributor; confidence: medium; commits: d855d09ab070; files: convex/lib/moderationEngine.ts, convex/lib/moderationEngine.test.ts, convex/skills.ts)
• steipete: Peter Steinberger authored adjacent current-main cleanup for uncorroborated VirusTotal suspicious state, which is related to false-positive handling but not a clearance for this specific skill. (role: adjacent scanner moderation maintainer; confidence: medium; commits: 232e429dee6f; files: convex/skills.ts, convex/skills.manualOverrides.test.ts, convex/skills.rateLimit.test.ts)

Remaining risk / open question:

• Clearing this appeal is security-sensitive because the published skill intentionally executes arbitrary local shell commands, reads/sources shell configuration, and the live scanners still report suspicious findings.
• Trusted-publisher status is an account/admin policy decision, not a narrow source-code cleanup.
• Production moderation state can change independently of the repository, so staff should re-check the public scan and moderation endpoints immediately before acting.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7bef2a0b65d4.

[clawsweeper]

Codex review: keeping this open for maintainer follow-up; there is still a little grit to resolve.

Keep open. ClawHub cleanup policy keeps issues open in this lane, and the live production state still reports terminal-killer v1.2.0 as suspicious. Current main has generic appeal, rescan, scanner calibration, and audited manual-override tooling, but no checked-in skill-specific clearance, trusted-publisher grant, or false-positive note for this appeal.

Required change / next step:

The remaining action is a security/moderation decision against a live artifact and publisher account, not a safe source-only fix PR.

Review details

Best possible solution:

ClawHub staff or moderators should review the exact terminal-killer v1.2.0 artifact, scanner evidence, and publisher history. If they confirm a false positive, they should use the existing audited manual clean override with a review note; any trusted-publisher decision should go through marketplace/admin policy, while the broader appeal-link UX remains tracked by #371.

Acceptance criteria:

• Check the canonical ClawHub skill scan API for terminal-killer and confirm version, SHA-256, scanner verdicts, and whether any manual override is active.
• Check the canonical ClawHub moderation API for terminal-killer and confirm verdict, reason codes, engine version, and update time.
• Review the exact terminal-killer v1.2.0 artifact source before applying any manual clean override or publisher trust change.

What I checked:

• Live scan remains suspicious: The public scan endpoint returns terminal-killer version 1.2.0 with moderation.isSuspicious: true, security.status: suspicious, SHA-256 241c18abd90965ab3401ed10c0ffb162a12d48870b380b8057fe9ab0f8cc42c1, and suspicious VirusTotal plus ClawScan verdicts.
• Live moderation remains suspicious: The public moderation endpoint returns verdict: suspicious, reason codes suspicious.llm_suspicious and suspicious.vt_suspicious, engine version v2.4.2, and no manual-cleared state.
• No target-specific clearance in source: Exact search found no checked-in reference to the slug, publisher handle, reported account id, or live artifact hash, so main does not contain a per-skill whitelist, trusted-publisher grant, appeal record, or false-positive note. (7bef2a0b65d4)
• Generic appeal banner exists: Suspicious skill pages show a warning and, for managers, link to GitHub issues for incorrect flags; this supports appeals but does not resolve this specific skill. (src/components/SkillHeader.tsx:124, 7bef2a0b65d4)
• Owner/admin rescan path exists: Current main lets owners/admins view rescan state and request a fresh scan, then dispatches static, VirusTotal, and LLM scans for the latest version. (convex/skills.ts:4166, 7bef2a0b65d4)
• Audited manual clean override exists: Moderators can apply a clean manual override to a currently suspicious skill, preserving previous scan metadata and writing an audit log entry. (convex/skills.ts:5540, 7bef2a0b65d4)

Likely related people:

• Patrick-Erichsen: Current blame and feature history point to Patrick Erichsen for the suspicious-skill banner, owner/admin rescan UI/backend, and manual-review surfaces used to process this kind of appeal. (role: recent maintainer and moderation/rescan surface owner; confidence: high; commits: ecf09b868a98, ef2846b2e4c7, e6c3d6ff28b1; files: src/components/SkillHeader.tsx, src/components/SkillDetailPage.tsx, src/components/DetailSecuritySummary.tsx)
• deepujain: Deepak Jain authored the recent moderation calibration that controls when VirusTotal Code Insight suspicious signals are suppressed or retained, which is directly relevant to false-positive appeals. (role: VirusTotal Code Insight calibration contributor; confidence: medium; commits: d855d09ab070, 932155cb8ff5; files: convex/lib/moderationEngine.ts, convex/lib/moderationEngine.test.ts, convex/skills.ts)
• steipete: Peter Steinberger authored adjacent cleanup for uncorroborated VirusTotal suspicious state and appears in manual-override/moderation history for this area. (role: adjacent scanner moderation maintainer; confidence: medium; commits: 232e429dee6f, 8752e4bb7e92; files: convex/skills.ts, convex/skills.manualOverrides.test.ts, convex/skills.rateLimit.test.ts)

Remaining risk / open question:

• Clearing this appeal automatically would be security-sensitive: the skill intentionally executes arbitrary local shell commands, sources shell configuration, reads shell history, and live scanners still report suspicious findings.
• Trusted-publisher status is an account/admin policy decision, not a narrow repository source change.
• Production moderation state can change independently of main, so staff should re-check the live scan and moderation endpoints immediately before acting.

Codex review notes: model gpt-5.5, reasoning high; reviewed against 7bef2a0b65d4.

[openclaw-barnacle]

Thanks for the report. Please use the "Rescan" button on the skill/plugin page while signed in as the owner.

You can also request a fresh scan from the CLI:

• Skill: clawhub skill rescan <slug>
• Plugin/package: clawhub package rescan <name>

If the content or metadata changed, publish the fixed version first, then request the rescan for the latest release. I'm closing this issue after posting this guidance. If you're still having trouble after rescanning, please reopen this issue with the ClawHub URL, version, and latest scan result.