mihomo-proxy

管理 mihomo (Clash Meta) 代理服务。当用户需要配置、更新、重启代理、切换节点、更新订阅或排查代理连接问题时使用。适用于已有 mihomo 二进制和配置的 Linux 服务器。

This skill appears to do what it says (generate mihomo config from a subscription and manage the service), but proceed carefully: 1) It requires node, curl, and systemctl though the metadata doesn't declare them — ensure those are present and you understand why. 2) The included script executes curl via a shell command using the provided subscription URL without sufficient escaping, creating a command-injection risk if the URL is maliciously crafted. Only use subscription URLs from trusted providers and avoid copying untrusted links. 3) The skill writes to /opt/mihomo-config/config.yaml and restarts systemd services, so it needs appropriate privileges; back up your existing config before running. 4) If you plan to use this, consider reviewing or patching scripts: replace execSync with a safe HTTP client (e.g., node https/axios or child_process.execFile) or properly sanitize/escape the URL, and run the tool as a non-root user or in a sandbox. 5) If you are not comfortable auditing or patching the code, treat the skill as potentially dangerous and avoid installing it on production systems.

Type: OpenClaw Skill Name: mihomo-proxy Version: 1.0.0 The skill bundle contains a critical shell injection vulnerability in `scripts/gen_config.js` where the `execSync` function is used to execute a `curl` command with an unsanitized subscription URL. While the tool's stated purpose of managing a Mihomo proxy service is legitimate, the lack of input validation allows for arbitrary command execution if a malicious URL is provided. Additionally, the skill requires high privileges to modify files in `/opt` and manage systemd services, increasing the impact of the vulnerability.