Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
reply-coach
v1.0.0从剪贴板读取聊天内容,生成尊重边界、自然不油腻的高情商回复建议,适用于微信、QQ等聊天场景。
⭐ 0· 269·0 current·0 all-time
byvx:17605205782@52yuanchangxing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description say: read clipboard and produce reply suggestions. Declared required binaries (node, pbpaste) and the included script exactly implement reading macOS clipboard and printing it. The macOS-only dependency (pbpaste) is coherent with the intended behavior but limits platform compatibility.
Instruction Scope
SKILL.md instructs the agent to run the included script which reads the clipboard and prints the text with markers. That stays within the stated purpose. However, the skill does not filter clipboard contents or warn about secrets: any sensitive data copied to the clipboard would be emitted to stdout and could be included in prompts sent to the model or logged by the agent. The skill does explicitly say it does not auto-send messages, which aligns with behavior.
Install Mechanism
No install spec (instruction-only plus a small bundled script). Nothing is downloaded at install time and the only runtime action is invoking pbpaste via node child_process. No external URLs or archive extraction are involved.
Credentials
The skill requests no environment variables, credentials, or config paths. This is proportionate to its simple clipboard-reading purpose.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. It does not modify other skills or system configuration.
Assessment
This skill is simple and appears to do exactly what it says: read clipboard text and print it for the agent to turn into reply suggestions. Before installing/using it: (1) Be aware it relies on pbpaste, so it only works out-of-the-box on macOS. (2) Do not copy passwords, API keys, private tokens, or other secrets into your clipboard before invoking the skill — the script prints the raw clipboard contents and those could be included in prompts or logs. (3) The code uses node's child_process to run pbpaste; that is expected here but you can review the short script (scripts/reply_from_clipboard.mjs) yourself to confirm. (4) If you want cross-platform usage, request or modify a variant that uses platform-appropriate clipboard tools (e.g., xclip/xsel on Linux, powershell Get-Clipboard on Windows). If you need formal guarantees about data staying local, verify the agent's runtime doesn't transmit logs/prompts to external services or add explicit filtering/sanitization of clipboard contents.scripts/reply_from_clipboard.mjs:5
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk973yq46ckdxetbqygmz65rt0582qf52
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
💬 Clawdis
Binsnode, pbpaste