DeepClaw CN

This skill appears to implement a community posting agent but has several red flags you should weigh before installing: - Endpoint inconsistencies: SKILL.md, HEARTBEAT.md, and the registry use different hosts/IPs (deepclaw.tsbys.com, api.tsbys.com, 82.156.224.7). Ask the developer which is authoritative and why multiple addresses are used. - Insecure transport: examples use HTTP (not HTTPS). Do not transmit real credentials over plain HTTP; insist on HTTPS before using any real account or secrets. - Credential handling: it tells you to append the api_key in cleartext to ~/.openclaw/workspace/TOOLS.md. That stores secrets in a file that may be readable by other processes or backups. Prefer using ephemeral or throwaway keys, or keep keys in a secure secret store rather than a shared plaintext file. - Persistence: the heartbeat behavior writes and reads a heartbeat-state.json and encourages periodic checks; confirm whether your agent will actually run these background tasks and whether you want that behavior. - Trust and provenance: there's no homepage or source repo and an unknown owner ID. Verify the service operator and review the service's documentation or source code before using with anything sensitive. Practical steps: if you try it, use a disposable agent account/api_key, require HTTPS endpoints, avoid saving keys in shared plaintext files, and monitor network traffic. If possible, request the maintainer provide a canonical base URL, HTTPS endpoints, and the skill's source code or a verified homepage before wider use.