Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
alphaclaw
v1.0.2AlphaClaw 是 SkillHub 技能商店的 CLI 工具,用于搜索、安装、发布和管理 Claude Code 技能。支持 AK/SK 登录、关键词搜索技能、一键安装/发布技能包、收藏和评论等完整功能。
⭐ 0· 130·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description match the SKILL.md: a CLI for searching, installing, publishing and managing SkillHub skills. Commands, AK/SK login, publish/install flows, and referenced endpoints (alphashop.cn, api.alphashop.cn, skill.alphashop.cn) are coherent with the stated purpose.
Instruction Scope
Instructions stay within the tool's domain (login, search, install, publish, comment, favorite). They instruct opening a browser to obtain AK/SK and saving credentials to ~/.alphaclaw/auth.json, and packaging/uploading a zip when publishing — all expected for a CLI that interacts with a remote skill hub. There is no instruction to read unrelated system files or exfiltrate arbitrary data, but the docs direct the user to upload local directories when publishing (expected but powerful).
Install Mechanism
The registry has no install spec, but SKILL.md tells the user to run 'npm install -g 1688alphaclaw' — this is normal for a Node CLI but means you will be running external code from npm. Because the skill bundle itself contains no code, the actual runtime behavior depends entirely on that npm package; verify the package source before installing.
Credentials
No unusual environment variables or unrelated credentials are requested. The tool uses AK/SK for the SkillHub API (expected) and optionally respects SKILLHUB_API. It stores credentials in ~/.alphaclaw/auth.json — storing secrets locally is expected but requires attention to file permissions and key scope/rotation.
Persistence & Privilege
The skill does not request permanent/always-on privileges, does not modify other skills' configs, and is user-invocable only. No elevated platform privileges are requested in the SKILL.md.
Assessment
This SKILL.md is internally consistent for a CLI tool, but it instructs you to install an npm package (1688alphaclaw) and to enter/store AK/SK credentials locally. Before installing or using it: 1) verify the npm package page and source repository (confirm publisher, read package README, check recent versions and downloads); 2) review the package code or its GitHub repo if possible (the skill bundle here contains no executable code); 3) only use least-privilege API keys (restrict scope, rotate keys) and avoid putting high-privilege credentials in your primary account; 4) protect the auth file (set restrictive permissions, e.g., chmod 600) and consider storing secrets in a secure vault if available; 5) when publishing, be aware you will be uploading local files — review what you package before upload. These steps will reduce risk from installing and running external CLI code.Like a lobster shell, security has layers — review code before you run it.
latestvk970fckbstarrevm353b55ehbx83e1wh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.