ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

得到 Skill

v0.1.1

Handles interactions with the dedao-dl CLI tool for downloading and managing content from the Dedao (得到) App. Use when the user wants to list bought courses,...

1· 235·0 current·0 all-time
by@angjustinl
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included scripts and instructions. The skill only requires downloading and running the dedao-dl binary and provides a helper wrapper to clean CLI output; nothing requested is outside that scope.
Instruction Scope
SKILL.md is focused on using the dedao-dl tool: installation, listing content, login, and download workflows. It does not instruct the agent to read unrelated files or exfiltrate data. It does instruct the user/agent to pass login cookies or use QR login, which is expected for this use case.
Install Mechanism
The provided install script fetches the latest release via the GitHub API for repo yann0917/dedao-dl and writes the release asset directly to a local executable name. Using GitHub releases is reasonable, but the script does not verify checksums or signatures and may pick an archive asset as a fallback (the code prefers direct binaries but can fall back to any asset). This increases risk if the upstream repo or its releases are compromised.
Credentials
The skill declares no required environment variables or credentials, which aligns with its purpose. However SKILL.md instructs providing authentication via QR or an explicit cookie string (login -c "<cookie_string>") — the agent or user will handle secrets at runtime. The skill itself does not request unrelated credentials.
Persistence & Privilege
The skill does not request always-on presence, does not modify other skills or system-wide configs, and only places files in the current directory (the downloaded binary). It runs binaries provided by the upstream project but does not persist credentials or alter agent configuration.
Assessment
This skill is a coherent wrapper for the dedao-dl CLI, but you should: (1) verify you trust the upstream GitHub repository (yann0917/dedao-dl) before running the install script; (2) inspect the release asset and, if possible, download and verify checksums manually rather than relying on the script; (3) be cautious when supplying cookie strings or other credentials — prefer QR login or run commands interactively so secrets are not saved into logs; (4) run the installer and binary in a sandbox or isolated environment if you are unsure; and (5) remember downloading full courses may violate terms of service or copyright and can consume large disk space and bandwidth.

Like a lobster shell, security has layers — review code before you run it.

latestvk9720zds96hpg2v5vrej83g4dd82m61k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments