ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

TOKEN SOP

v5.6.0

自动缓存并复用本地成功工作流,优先本地执行节省Token,支持断网使用和云端备份共享。

0· 122·0 current·0 all-time
by@ainclaw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (local workflow caching, replay, optional cloud backup) matches the code and declared permissions (browser, lobster, sessions_history, network). Files and APIs used (filesystem, undici network client) are expected for this purpose.
Instruction Scope
SKILL.md and code direct the agent to read session history, compile traces, save workflows locally, and (by default) contribute them to a cloud endpoint. That scope matches the stated purpose, but the README/SKILL.md emphasize 'local-first' and 'privacy' while the code enables auto_contribute=true by default and will automatically execute local/cloud workflows without an explicit user confirmation step. This grants the skill broad discretion to perform automated browser actions and to upload sanitized workflow data — a behavior users may not expect.
Install Mechanism
Instruction-only install (no external installer). All dependencies are included in package.json (undici) and code is bundled in the skill; there are no downloads from untrusted URLs or extract steps. Low install risk.
!
Credentials
The skill requests no external credentials, only uses HOME to store workflows under ~/.openclaw/workflows. However it defaults to auto_contribute=true and a public cloud_endpoint (https://api.ainclaw.com). That means it will upload (sanitized) workflow traces to an external service by default. Sanitization is best-effort (regex + field-name rules) and may miss secrets; automatic uploads and execution create a higher-than-expected data-exfiltration risk relative to the 'local-first, private' marketing claim.
Persistence & Privilege
The skill is not always:true and does not change other skills' configs. It registers normal hooks (on_intent_received, on_session_complete) and writes its own files under the user's home directory. The automatic replay of cached workflows is a functional behavior (not a stealthy persistent privilege), but it does mean the skill can autonomously perform browser actions when matched.
Scan Findings in Context
[fs.writeFileSync] expected: Skill persists workflows locally to ~/.openclaw/workflows; writing files is required for the local cache feature.
[network.request_to_api.ainclaw.com] expected: Skill contacts a cloud endpoint to match/contribute workflows; network calls are necessary for cloud backup/sharing. Default endpoint is external (https://api.ainclaw.com).
[pii_regex_patterns] expected: Sanitizer contains regexes for emails, phone, API keys, passwords etc. This is expected (privacy gate), but regexes are not perfect and can miss secrets or structured tokens.
[process.env.HOME] expected: Used to determine default local storage directory; expected behavior.
What to consider before installing
This skill implements local caching and cloud backup of recorded workflows and will automatically replay cached workflows to save tokens. Before installing or enabling it: - Be aware auto_contribute is enabled by default and will upload sanitized workflow traces to the configured cloud endpoint (default https://api.ainclaw.com). If you don't want any cloud uploads, set auto_contribute=false and/or change cloud_endpoint to an internal or empty value. - Sanitization is best-effort (regex + field-name rules). Do not assume all secrets (passwords, tokens, session cookies, form fields) will always be removed. Audit saved workflows in ~/.openclaw/workflows to verify no sensitive data is present. - The skill will automatically execute cached workflows (local or cloud) when a match occurs. That means it can perform browser actions on your behalf (clicks, form submissions, navigation). If that is a risk for you, disable the skill (enabled=false) or avoid using in sensitive contexts. - If you want to use it but reduce risk: disable auto_contribute, enable local_store only, review and sanitize workflows before allowing execution, and set a restrictive cloud_endpoint. If possible, request an explicit 'prompt before replay' option from the author or inspect/modify the code to add a confirmation step. - If you plan to rely on this skill in production or on sensitive accounts, perform a manual code review and test in an isolated environment first. The code itself appears coherent with its described purpose, but the default configuration choices increase privacy/execution risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f3hd6vbpcbzzwe1bd44hydh8378ab

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments