Skip to main content
Scans/clawhub/youos

youos

clawhub

Share

Summary

youos v0.1.18 was classified as CRITICAL RISK with a risk score of 914. Sigil detected 57 findings across 90 files, covering phases including code patterns, install hooks, obfuscation, network exfiltration. Review the findings below before installing this package.

CRITICAL RISK(914)

v0.1.18

4 May 2026, 03:17 UTC

by Sigil Bot

Risk Score

914

Findings

57

Files Scanned

90

Provenance

Registry

https://clawhub.com/skills/youos

Scanned From

https://clawhub.ai/api/v1/download?slug=youos&version=0.1.18

Findings by Phase

Phase Ordering

Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

app/cli.py:163

@app.command()
def setup(
    check_only: bool = typer.Option(False, "--check-only", help="Run non-interactive cold-start setup checks and exit"),
Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

install-pip-setup-exec

CRITICAL

setup.py executes code at install time

scripts/youos_cli.py:27

@app.command()
def setup():
    """Run the interactive setup wizard."""
Why was this flagged?

This setup.py calls subprocess, os.system, exec, or eval during package installation. Legitimate packages rarely need to execute arbitrary commands at install time. This pattern is commonly used by malicious packages to download and run payloads, exfiltrate environment variables, or establish persistence. Rated CRITICAL because it runs with the installer's full permissions.

Badge

Sigil scan badge for clawhub/youos

Markdown

[![Sigil Scan](https://sigilsec.ai/badge/clawhub/youos)](https://sigilsec.ai/scans/C76C2EC8-7A17-4F88-94B1-F4436EA8B354)

HTML

<a href="https://sigilsec.ai/scans/C76C2EC8-7A17-4F88-94B1-F4436EA8B354"><img src="https://sigilsec.ai/badge/clawhub/youos" alt="Sigil Scan"></a>

Run This Scan Yourself

Scan your own packages

Run Sigil locally to audit any package before it touches your codebase.

curl -sSL https://sigilsec.ai/install.sh | sh
Read the docs →Free. Apache 2.0.

Sigil Pro

Cloud scanning, AI investigation, web dashboard, and CI/CD integration. 30-day free trial.

Start free trial →

Get threat intelligence and product updates

Security research, new threat signatures, and product updates. No spam.

Other clawhub scans

ai-amazon-seller-intelligence-machine-v2

v1.0.0

LOW RISK0

impeccable-uxui

v1.0.0

LOW RISK0

poetry-master

v1.2.0

LOW RISK0

webtop-galim

v0.1.2

CRITICAL RISK100

openclaw-workspace-sync

v2.4.1

LOW RISK0

Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.

Scanned bySigil Bot
← Back to Scan Database