ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Asset Library Skill

v1.0.0

Asset Library Skill. Use when the user expresses the overall end-to-end intent in one request, including “把这些材料建成资产库”“列出未来 60 天需要续办或补办的事项”“生成暑期实习申请材料包”, when...

1· 66·0 current·0 all-time
by@angjustinl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The top-level SKILL.md (caixu-skill) is a router that only routes to child phase skills and explicitly says it should not call MCP tools or touch files; that purpose matches the 'Asset Library Skill' description. However, the bundle also contains many code modules (caixu-data-mcp, caixu-ocr-mcp, embedding code, storage, scripts) that implement local MCP tools and local filesystem/embedding behavior. The registry metadata and top-level description imply an instruction-only / routing entrypoint but the package includes server tooling and binaries-equivalent Node code — an inconsistency the user should be aware of.
Instruction Scope
The SKILL.md instructions for caixu-skill are narrowly scoped (route to a single phase skill, check install guidance, do not perform extraction or I/O). Child skills' SKILL.md files explicitly instruct agents to call MCP tools that read local files, run OCR, generate embeddings, persist to local SQLite, and export zips. That scope is consistent within the project (it's a multi-skill suite where some skills perform I/O), but the top-level router specifically promises not to perform those actions itself.
!
Install Mechanism
No install spec is declared despite numerous Node packages, PNPM lockfile, scripts, and runtime behavior that depend on installed packages (e.g., @huggingface/transformers, @modelcontextprotocol sdk). The embedding code spawns a Node subprocess that executes an inline worker which loads Hugging Face transformers and may access local model caches or the network. Without an explicit install mechanism, it's unclear how required dependencies or native models will be provisioned — this is a mismatch and a deployment risk.
!
Credentials
Registry metadata lists no required env vars, but source references several environment variables (CAIXU_SQLITE_PATH, CAIXU_EMBEDDING_CACHE_DIR, CAIXU_EMBEDDING_MODEL, CAIXU_EMBEDDING_TIMEOUT_MS and others) and will perform filesystem access and optional network calls to model libraries. No credentials are requested in metadata, which is good, but the code's reliance on optional env configuration is not documented in the skill manifest and may surprise operators.
Persistence & Privilege
The skill does not set always:true and is user-invocable. It contains services (MCP server tools) that persist to local SQLite and write files (package preflight, storage). That level of privilege is consistent with a local asset-management skill, but it is powerful (local file and DB access + embedding/model invocations). Because it is not forced-always, this is acceptable but should be run in a trusted or isolated environment.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md files contain YAML frontmatter and agent prompt directives (used to configure the agent prompt). The scanner flagged this as a 'system-prompt-override' pattern — this may be expected for skill prompt configuration, but treat it as a prompt-injection signal and review the frontmatter text for unintended instructions or hidden overrides.
What to consider before installing
This bundle is not pure 'instruction-only' despite metadata implying so: it includes many Node modules, MCP tool implementations, and scripts that access local files, a local SQLite DB, and run embedding/model code that may reach the network or local model caches. Before installing or running this skill, consider: 1) Ask the publisher for an install spec and explicit list of required environment variables (and why they're needed). 2) Review package.json / pnpm-lock to see third-party dependencies and their versions. 3) Run the code only in an isolated environment (sandbox/container) because it will read/write local paths and may download models. 4) Confirm whether any external credentials (Hugging Face tokens, model-hosting keys) are required — the manifest doesn't declare them but code may expect network/model access. 5) If you only want the routing behavior, verify how the platform will execute the child MCP tools (they may not be available without installing the Node packages). 6) Treat the 'system-prompt-override' scanner finding as a prompt to manually inspect the SKILL.md frontmatter for any hidden or authoritative instruction strings. If you cannot verify the install/runtime details or do not trust the source, do not enable this skill on sensitive systems.
caixu-data-mcp/src/search-embedder.ts:90
Shell command execution detected (child_process).
caixu-shared-core/packages/docgen/tests/docgen.test.ts:119
Shell command execution detected (child_process).
caixu-ocr-mcp/src/tools/zhipu-http.ts:149
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9757kwabj0awwhnfx4ynct4s5843j4m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments