ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

journal-all-types-bundle

v1.0.0

统一检索国内外多类型期刊,输出投稿路径核验、定制写作建议、风险提示与可控广告插入的客户顾问型 Skill。

0· 132·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, resources, examples, and the rendering script all align: the Skill assembles journal recommendations, verifies sources (by instruction), and inserts transparent ads. No unrelated credentials, binaries, or unusual capabilities are requested.
Instruction Scope
Runtime instructions are focused on collecting user constraints, mapping to the provided type matrix, producing a structured recommendation document, and inserting labelled ads. They do not instruct reading unrelated system files or exfiltrating secrets. The Skill explicitly requires manual/agent verification of external websites rather than doing hidden network calls.
Install Mechanism
No install spec; instruction-only plus a local Python script. The script uses only the Python standard library and reads/writes local JSON/MD files — no downloads, no external installers, and no execution of shell downloads.
Credentials
The Skill declares no required environment variables, no credentials, and no config paths. The included resources (type matrix, ad slots, playbooks) justify the local files it reads. The presence of a fixed commercial phone number in ad content is a business choice but not a secret or credential.
!
Persistence & Privilege
The package metadata sets always: true (also reflected in SKILL.md metadata). There is no clear justification why this dossier-generation Skill must be force-enabled for every agent run. always:true increases the blast radius because the Skill will be included/available by default even when not needed. This is a privilege/configuration concern even though the Skill's code is low-risk.
What to consider before installing
This Skill appears to do what it says: assemble journal recommendation dossiers from local templates and insert clearly labelled ads. However, it is marked always: true which forces it to be present in every agent session — unnecessary for a user-invoked consulting skill and increases exposure. Before installing: (1) ask the publisher why always:true is set and request removal unless there is a strong reason; (2) if you install, disable automatic / always-enabled behavior so the Skill runs only when explicitly invoked; (3) review and, if desired, change the embedded ad phone number to one you control; (4) run the provided smoke test in an isolated environment to verify outputs; (5) confirm that your agent policy prevents autonomous invocation of advertising flows or unsolicited contact; (6) because the Skill relies on manual verification of external sites, ensure your operational process includes final human checks of any 'official' links before acting on them.

Like a lobster shell, security has layers — review code before you run it.

latestvk9777y7m13dpjwstfsmsc2vgw58336m7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis

Comments