Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Outline Kb
v0.1.0Outline 知识库 API 交互。搜索文档、创建/编辑文档、管理 Collections、列出用户等。当用户需要与 Outline 知识库交互时使用,包括搜索内容、创建文档、查看文档结构、导出文档、管理权限等。
⭐ 1· 49·0 current·0 all-time
byBY易仝@1944876825
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description and the SKILL.md consistently describe an Outline knowledge-base API client (search, create/update documents, manage collections/users, export, etc.). The listed endpoints and operations in references/api-endpoints.md align with that purpose.
Instruction Scope
SKILL.md explicitly instructs the agent to read OUTLINE_BASE_URL and OUTLINE_API_KEY from environment variables and to call Outline endpoints (curl or web_fetch). That instruction is narrowly scoped to interacting with the Outline API and does not request unrelated files, system paths, or exfiltration endpoints, but it does access environment variables that are not declared in the skill metadata — a manifest/instruction mismatch that could hide secret requirements.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to write or execute. No downloads or package installs are performed by the skill itself.
Credentials
The SKILL.md requires two environment variables (OUTLINE_BASE_URL, OUTLINE_API_KEY) including an API key capable of document and permission changes; however, the skill registry metadata lists no required env vars or primary credential. The variables themselves are proportionate to the stated purpose, but the manifest omission is a red flag (the skill will need a secret at runtime despite metadata saying none).
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent installation or to modify other skills or system-wide settings.
What to consider before installing
This skill appears to be a straightforward Outline API helper, but the skill manifest does not declare the environment variables that the runtime instructions require. Before installing: (1) confirm you are willing to provide OUTLINE_API_KEY (it can allow destructive actions like delete/archive/permission changes); (2) prefer using a least-privilege API key or a test Outline instance; (3) ask the publisher or registry to update the metadata to declare required env vars (so you know a secret will be needed); (4) avoid using a shared/production API key until you verify behavior in a safe environment; (5) review activity after first use (logs, API audit) to ensure it only performs expected calls.Like a lobster shell, security has layers — review code before you run it.
latestvk97aayjqmj7qad91e5hvxdwrc983e9h5
License
MIT-0
Free to use, modify, and redistribute. No attribution required.