ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Live Replay Analyzer

v1.0.0

(已验证) 根据客户和场次,自动生成详细的《直播复盘与成长规划报告》。

0· 65·0 current·0 all-time
byan@ahsbnb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Functionality matches the stated purpose: analyzer.py reads input files, assembles a prompt and (optionally) calls a model to generate a report. Requiring an API key for a model call is reasonable. However, the registry metadata declared no required env vars/config, while SKILL.md and analyzer.py require a 'review_api_key' stored in ~/.openclaw/config.json — this is an inconsistency that should be explained by the author.
!
Instruction Scope
SKILL.md instructs the user to add an API key and (optionally) override the API URL in ~/.openclaw/config.json; analyzer.py reads exactly that file. The script sends the assembled prompt and user-provided input files (data.txt/profile.txt/script.txt) to the configured remote endpoint. That network transmission of potentially sensitive client data to an external third party is within the skill's runtime scope but may be unexpected to users. Additional mismatch: SKILL.md mentions profile.png as an alternative source, but analyzer.py only reads profile.txt (no image handling).
Install Mechanism
There is no external install/download; the skill is instruction + local Python script. It requires aiohttp/requests at runtime (SKILL.md lists them). No archive downloads or remote installers are used, so install risk is low.
!
Credentials
The skill requests a single API credential (review_api_key) and an optional review_api_url — which is proportionate to making model calls. But the credential is stored in a shared path (~/.openclaw/config.json) that may hold other secrets used by other skills; the registry metadata did not declare this config requirement or any required env vars, creating a transparency gap. Also the default review_api_url (https://api2.aigcbest.top) is a third‑party endpoint that may not be the provider the user expects.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills, and does not claim to persist or elevate privileges. Autonomous invocation is allowed by platform default but not in itself an additional red flag here.
What to consider before installing
Before installing/using this skill: 1) Be aware the script will read ~/.openclaw/config.json for a 'review_api_key' and will send your input files (data/profile/script) to the configured review_api_url — the default endpoint is api2.aigcbest.top (not an obvious mainstream provider). If you don't trust that endpoint, do not put secrets there. 2) Prefer creating a dedicated API key for this skill (not reuse high‑privilege keys) and limit its scope if possible. 3) Verify the skill source (the SKILL.md lists a placeholder GitHub URL). 4) If you must test, run it in an isolated environment or container and monitor outbound network calls. 5) Ask the author to: (a) declare the config requirement in registry metadata, (b) explain why the default endpoint was chosen and provide instructions for using a trusted LLM provider, and (c) fix the documentation mismatch (profile.png vs profile.txt).

Like a lobster shell, security has layers — review code before you run it.

latestvk9772nzekhdxwbp667d2v968m183mda5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments