ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

为知笔记skills

v1.0.0

Use when documents must be read from or maintained in a WizNote or 为知笔记 server, mirrored into a local repository, or organized under a configurable note cate...

0· 74·0 current·0 all-time
bylucky37@735140144
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the included Python files are coherent: the code implements login, note listing, download, create/save, and mirror-path generation for a WizNote server. The requested credentials and local repo paths are appropriate for the described purpose.
Instruction Scope
Runtime instructions (SKILL.md) are narrowly scoped to configuring credentials, logging into the user-supplied WizNote server, listing/downloading/creating notes, and mirroring to a repo path. They do not instruct reading unrelated system files or exfiltrating data to a third-party endpoint; network calls go to the user-provided base URL.
Install Mechanism
This is instruction-only with bundled Python source and tests; there is no remote download/install step or external package fetch specified in the manifest. Installing involves copying files into a skills directory or importing the Python modules locally.
!
Credentials
The SKILL.md and code require WIZNOTE_BASE_URL, WIZNOTE_USER, and WIZNOTE_PASSWORD (sensitive credentials) which are proportional to a WizNote integration. However, the registry metadata lists no required env vars — an inconsistency that could mislead users and automated install tooling. Also, recommending storing plaintext passwords in environment variables has risk: users should prefer ephemeral tokens or other secrets management when possible.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It will write mirror files under the repo path the user supplies (expected behavior) but does not request elevated system privileges.
What to consider before installing
This package appears to implement a legitimate WizNote sync helper, but two things to check before installing: (1) the SKILL.md and code expect three sensitive environment variables (WIZNOTE_BASE_URL, WIZNOTE_USER, WIZNOTE_PASSWORD) even though the registry metadata does not declare them — confirm you will supply credentials manually and that any automated installer will not expose secrets; (2) the skill will make network requests to whatever base URL you provide and will write mirror files under the repo path you choose. Recommendations: review the included Python files yourself (they are short and readable), run tests locally, avoid putting long-lived plaintext passwords into shell startup files (consider ephemeral tokens or a secrets store), ensure the WizNote base URL uses HTTPS and points to a trusted host, and run the skill in an isolated environment or with minimal privileges until you are comfortable with its behavior.

Like a lobster shell, security has layers — review code before you run it.

latestvk977pwzce85dscw7z71camzv5d84hsbj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments