ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Chaoxing Download

v1.3.0

Download PDF documents from Chaoxing (超星) contest/platform viewer URLs and convert to TXT. Use when user wants to download files from contestyd.chaoxing.com,...

0· 32·0 current·0 all-time
byYi,Li (李祎)@artminding
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (download Chaoxing viewer PDFs and convert to text) directly match the SKILL.md: it extracts objectid, calls the documented getYunFiles endpoint, downloads data.pdf, validates page count, and converts to TXT. There are no unrelated credentials, binaries, or config paths requested.
Instruction Scope
Instructions stay within the stated purpose (parsing URLs/objectid, calling contestyd.chaoxing.com, downloading PDFs, extracting text and OCR). They instruct writing files to ~/Downloads/chaoxing_pdfs and installing Python packages. The SKILL.md also includes a Windows example path (C:/Users/Cameron/...) which appears to be an author/example artifact and not required. Note: the OCR package may download additional models at runtime, which causes extra network activity beyond the described API calls.
Install Mechanism
The skill is instruction-only (no install spec), so nothing is installed by the platform. However the runtime instructions tell users to run pip install pymupdf rapidocr-onnxruntime. Installing third-party Python packages is within scope but carries the usual risks (supply-chain issues, additional runtime model or asset downloads). No arbitrary download URLs or archives are present in the skill itself.
Credentials
No environment variables, credentials, or protected config paths are requested. The skill writes output to the user's Downloads directory (expected for a downloader). The Windows path shown is just an example and not a declared requirement.
Persistence & Privilege
No persistent/always-on flag set; the skill is user-invocable and does not request elevated or cross-skill configuration changes. It does write files to the user's Downloads directory as part of normal operation.
Assessment
This skill appears to do what it claims: call Chaoxing's public getYunFiles endpoint, download PDFs, and convert them to text. Before using it: 1) Confirm you are allowed to download the documents (copyright/terms). 2) Run pip installs inside a virtualenv (pymupdf and rapidocr-onnxruntime) to limit system impact. 3) Be aware rapidocr-onnxruntime may download OCR models or perform additional network requests — check its docs. 4) The skill writes files to ~/Downloads/chaoxing_pdfs; validate filenames to avoid path-traversal or overwrites and use the force/overwrite flags deliberately. 5) If you need to audit network calls, monitor requests to contestyd.chaoxing.com and any s3 host used for PDFs. If any of these behaviors are unacceptable or you cannot verify model/package provenance, do not run the installs or run them in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970jhj872gc1f37bgnp06msb184dgjc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments