Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mockplus Reader
v1.0.0读取和分析 MockPlus 在线设计页面。用于:(1)打开并解析 MockPlus 网页链接,(2)提取页面中的设计信息、结构、组件,(3)分析原型稿内容和交互说明。当用户发送 MockPlus 链接或要求分析原型稿时使用此技能。
⭐ 0· 78·1 current·1 all-time
byAdin@a-din
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill name and description say it will open and parse MockPlus pages and the instructions use a 'browser' tool to open a URL and snapshot the page, which is coherent. However, the SKILL.md also claims a pre-generated uni-app + Vue3 project exists at a Windows path (C:\Users\Ding\.openclaw\workspace\lutixia\) and lists npm/uni-cli commands to run. The registry metadata and requirement fields declare no install steps, no required binaries (e.g., node/npm), and no file access. That mismatch suggests either outdated/example text or hidden expectations (writing/reading files, Node/npm usage) that are not declared.
Instruction Scope
Most instructions are scoped to opening a MockPlus URL via the 'browser' tool and taking a snapshot, then extracting page title, component tree, interactions, and comments — this matches the stated purpose. The problematic part is the '已实现项目' section that implies local filesystem artifacts and instructs running npm commands to build/run a generated project. The SKILL.md does not instruct the agent to read arbitrary unrelated system files, but the mention of a specific local path could encourage the agent to access the host filesystem. Also it notes that MockPlus pages may require login; no guidance is provided about how credentials will be supplied or protected.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However, the document's claim that a uni-app project has already been generated and that users should run npm and a global uni-cli install conflicts with the absence of any declared install steps or required binaries. If the skill expects to generate or manage that project, an explicit install mechanism and declared dependencies (Node, npm, uni-cli) should be present — their absence is an inconsistency.
Credentials
The skill requests no environment variables or credentials, which is proportionate for a read-only page-parsing skill. But the SKILL.md acknowledges MockPlus pages may require login to view content; since no auth variables or OAuth flow are declared, it is unclear how credentials are intended to be provided. Also the hard-coded Windows path is platform-specific and not justified by the skill metadata.
Persistence & Privilege
The skill does not request persistent inclusion (always: false) and has no declared installation that would modify agent-wide settings, which is OK. However, the presence of a concrete local project path implies the skill either (a) was authored on a particular machine and included an example path, or (b) expects to create/read files at that path. Because no install or file access is declared, this is an unexplained elevation of scope (filesystem persistence) and should be clarified.
What to consider before installing
This skill's core behavior (use a 'browser' tool to open a MockPlus link and extract page structure/interactions) is reasonable. However: 1) The SKILL.md contains an unexplained claim that a uni-app/Vue3 project already exists at C:\Users\Ding\.openclaw\workspace\lutixia\ and shows npm commands — but the skill declares no install steps or required binaries (node/npm). Ask the author to clarify whether the skill will generate files on your machine and to provide an explicit install spec and declared dependencies if so. 2) If the skill needs to access MockPlus content behind login, confirm how credentials are supplied and stored (do not provide secrets unless a secure auth flow is documented). 3) Avoid running global npm installs or unknown build commands until you inspect the code that would be executed; prefer running any build in an isolated environment or container. 4) Because the source/homepage are unknown, consider requesting provenance (Git repo, author contact) before installing. These inconsistencies are likely explainable (example content left in SKILL.md), but you should get clarification before granting the skill filesystem or build privileges.Like a lobster shell, security has layers — review code before you run it.
latestvk97817r8yjccar80brzm1kkevx838ff0
License
MIT-0
Free to use, modify, and redistribute. No attribution required.