ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

GMNCODE Usage

v0.1.3

通过 HTTP 接口查询 GMNCODE / gmncode.cn 中转站的大模型用量,包括 dashboard 汇总、每日趋势、按模型拆分的 token 与费用数据。当用户要求查看 GMNCODE token 用量、每日模型消耗、API/中转站花费、dashboard 用量,或希望用脚本/HTTP 接口直接获取...

0· 85·0 current·0 all-time
byAlexShen@alex-shen1121
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's purpose is to query GMNCODE usage and the code implements login + dashboard usage queries against https://gmncode.cn, which is coherent. However, the registry metadata lists no required environment variables or primary credential while both SKILL.md and the script require GMNCODE_EMAIL and GMNCODE_PASSWORD. That metadata omission is an inconsistency that could cause unexpected credential prompts.
Instruction Scope
SKILL.md and the script limit actions to reading credentials from environment or ~/.openclaw/.env, calling specific dashboard API endpoints, and caching a bearer token under ~/.cache/openclaw/gmncode-usage/token.json. The instructions do not request unrelated files, admin routes, or external endpoints beyond the hardcoded https://gmncode.cn.
Install Mechanism
There is no install spec (instruction-only) and the included Python script uses only standard library networking; nothing is downloaded from arbitrary URLs and no archives are extracted. Risk from install mechanism is low.
!
Credentials
Requiring GMNCODE_EMAIL and GMNCODE_PASSWORD is proportionate to performing a login-based API access, but the skill requests a full account password rather than an API token (more sensitive). Also, the registry did not declare these required env vars nor a primary credential, which is misleading. The script writes a token cache in the user's home directory (normal) but users should be aware they're giving account credentials.
Persistence & Privilege
The skill does not request elevated or persistent platform privileges. It creates a local token cache under the user's home directory and will delete/refresh it on 401; always:false and no modification of other skills or system-wide settings. This is typical and limited in scope.
What to consider before installing
This skill's code and docs show it logs into https://gmncode.cn and queries usage data; that's consistent with its description. However: (1) the registry metadata omits the required GMNCODE_EMAIL/GMNCODE_PASSWORD env vars—expect the skill to ask for those; (2) it needs your account password (not just an API key), which is sensitive—prefer creating a dedicated/limited account or API token if GMNCODE supports one; (3) the script caches a bearer token at ~/.cache/openclaw/gmncode-usage/token.json and reads ~/.openclaw/.env, so check those file permissions (chmod 600) and inspect the cache content if concerned; (4) review the full script yourself (it's included) to confirm no unexpected network destinations or behavior; and (5) if you proceed, run it in a confined environment or with an account that has minimal privileges. The main issue is the metadata mismatch and the sensitivity of requiring a full password—fixing the metadata or using an API token would increase trust.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e70bwyfxt5gvtpbtm0fr5ah83k7b9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments