Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
alphashop-text
v1.0.1AlphaShop(遨虾)文本处理 API 工具集。支持3个接口:大模型文本翻译、 生成商品多语言卖点、生成商品多语言标题。 触发场景:翻译文本、文字翻译、多语言翻译、生成卖点、商品卖点、 多语言卖点、生成标题、商品标题、多语言标题、SEO标题、 AlphaShop文本、遨虾文本处理。
⭐ 0· 84·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name/description (text translation / title / selling-point generation) match the script and API endpoints. Requiring ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY is coherent for this purpose — but the registry metadata incorrectly lists no required env vars/primary credential, which is an inconsistency.
Instruction Scope
SKILL.md explicitly instructs the agent to use environment variables ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY and to call scripts/alphashop_text.py which posts to https://api.alphashop.cn. The instructions are otherwise scoped to the stated task, but they reference environment variables that are not declared in the skill registry metadata (potentially leading to silent failures or unexpected prompts for secrets).
Install Mechanism
There is no install spec (instruction-only style), but requirements.txt lists requests and PyJWT. That means the runtime depends on third-party packages but the skill provides no automated install step; this is not malicious but is operationally incomplete and may lead users to manually install dependencies.
Credentials
The script requires two secrets (ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY) which are proportionate to the described API usage. However these required env vars are missing from the declared registry requirements and no primary credential is set — an incoherence that affects trust and automated permission checks.
Persistence & Privilege
Skill does not request persistent/always-on privileges and does not modify other skills or system settings. It runs as a simple CLI client and uses the provided env vars at runtime.
What to consider before installing
This skill appears to do what it claims (it calls AlphaShop API endpoints and builds a JWT from ALPHASHOP_ACCESS_KEY/ALPHASHOP_SECRET_KEY), but the registry entry fails to declare the required environment variables and primary credential. Before installing: 1) verify you trust https://api.alphashop.cn and the skill author; 2) do not supply production/privileged keys — use a scoped or test key if possible; 3) ask the publisher to update the registry metadata to declare ALPHASHOP_ACCESS_KEY and ALPHASHOP_SECRET_KEY as required so permission checks are explicit; 4) install dependencies in an isolated environment (virtualenv) and inspect the script yourself — the code constructs a JWT with your secret and sends requests to the AlphaShop API, so the secret will be usable for API calls. If you cannot confirm the publisher or registry metadata, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk97ckmp03n6fak6m7jep73mjds83e4g8
License
MIT-0
Free to use, modify, and redistribute. No attribution required.