ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

claim-risk-auditor

v1.0.0

检查文案、论文、宣传稿或产品说明中的高风险断言,标出证据缺口并给出更稳妥的改写。

0· 251·1 current·1 all-time
byvx:17605205782@52yuanchangxing
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the implementation: the skill is designed to read clipboard text and audit claims. Declared binaries (node and pbpaste) align with that purpose. Minor mismatch: SKILL metadata requires pbpaste (macOS) but the skill lists no OS restriction — it will fail on non‑macOS systems.
Instruction Scope
SKILL.md instructs the agent to run scripts/read_clipboard.mjs, which simply invokes pbpaste and prints the clipboard contents. This stays within the stated scope (reading content the user asked to check). However, reading the clipboard can expose sensitive or secret data; the instructions do not direct any transmission off‑device, but the agent will have access to whatever is on the clipboard.
Install Mechanism
Instruction-only skill with no install spec and a tiny included script. Nothing is downloaded or written to disk beyond the provided code files.
Credentials
No environment variables, credentials, or external config paths are requested. The single external dependency (pbpaste) is appropriate for clipboard reading on macOS.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). Be aware: the platform allows autonomous invocation by default — if the agent runs this skill autonomously it could read clipboard contents without an explicit user copy/consent. That combination (autonomous invocation + clipboard access) increases data‑exposure risk even though the skill itself does not exfiltrate data.
Assessment
This skill appears to be what it claims: a clipboard-based claim auditor. Before using, note: (1) it requires pbpaste so it works on macOS only; (2) it will read and print whatever is in your clipboard — do not copy passwords, tokens, private documents, or other secrets before running; (3) the skill does not include network calls or request credentials, so it does not by itself exfiltrate data, but if you are concerned about the agent invoking it autonomously, disable autonomous invocation or only run it after explicitly copying the text you want audited. If you need cross‑platform clipboard support or stricter safeguards, request changes (e.g., explicit user confirmation step or alternative clipboard methods).
scripts/read_clipboard.mjs:5
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🛡️ Clawdis
Binsnode, pbpaste
latestvk9748g5b7e5prpv63rkedgbt6d82p78p
251downloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
vx:17605205782@52yuanchangxing
latest
Download

Claim Risk Auditor

这是一个“断言风险审计” skill。

主要用途

适合检查:

  • 产品宣传文案
  • 品牌介绍
  • 招商文案
  • 推广脚本
  • 学术写作中的绝对化表达
  • 论文讨论部分中的过度结论
  • 培训课文案
  • 直播口播文案

调用方式

当用户说:

  • 读取剪贴板并检查风险表达
  • 帮我找出容易翻车的断言
  • 看看哪些话没有证据支撑
  • 帮我改得更稳一点

你应运行:

node {baseDir}/scripts/read_clipboard.mjs

Comments

Loading comments...