Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
quicker-connector
v1.2.0与 Quicker 自动化工具集成,读取、搜索和执行 Quicker 动作列表。支持 CSV 和数据库双数据源,智能匹配用户需求并调用本地 QuickerStarter 执行。
⭐ 0· 52·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description say it integrates with Quicker, and the repository supplies CSV/SQLite readers and a runner that invokes QuickerStarter.exe. File-system and subprocess permissions declared in manifests align with reading CSV/DB and launching a local QuickerStarter executable. Defaults for csv/db/starter paths match expected Quicker locations.
Instruction Scope
SKILL.md and SKILL_OPTIMIZED.md restrict file I/O to config and user-specified paths and claim no network access; runtime instructions focus on reading CSV/DB, matching actions, and invoking QuickerStarter. However, documentation and README include installation/publishing instructions that show downloading releases (GitHub/ClawHub) for setup—those are developer/install-time actions, not runtime behavior. Also verify that the code actually limits subprocess calls to QuickerStarter.exe and sanitizes parameters as claimed (the manifest says it does; user should inspect scripts/quicker_connector.py to confirm).
Install Mechanism
There is no formal install spec in the registry (the skill is delivered as source files). That is lower risk than arbitrary remote install scripts, but README contains example wget/git/ClawHub install commands which would fetch code from GitHub/ClawHub if followed. One minor inconsistency: encoding_detector.py imports chardet but package metadata declares no runtime dependencies—ensure chardet is installed on the target system before running encoding detection.
Credentials
The skill requests no environment variables or external credentials. It needs read/write access to user-specified CSV/DB paths and to write its own config.json—this is proportionate to listing and executing Quicker actions. The default db_path/starter_path point at typical Quicker locations; reading the Quicker DB may expose local action metadata but that is the stated purpose.
Persistence & Privilege
The skill is not always-enabled and uses normal autonomous invocation. It declares subprocess permission limited to QuickerStarter.exe which is appropriate, but the configurable 'starter_path' setting means an operator with permission to edit the skill settings could point it at another executable; verify parameter validation and consider restricting the configured path if you want to limit misuse. The skill does not request to modify other skills or system-wide settings.
Assessment
This package appears to be what it claims: a local Quicker integration that reads a CSV/SQLite export and calls QuickerStarter.exe. Before installing: 1) Confirm you run this on Windows with Quicker and QuickerStarter.exe present (or set starter_path to the correct executable). 2) Inspect scripts/quicker_connector.py (and any runner code) to confirm subprocess calls are limited to QuickerStarter.exe and that parameters are validated/sanitized. 3) Install the chardet library if you want robust encoding detection (encoding_detector.py imports chardet but the package metadata does not declare it). 4) Be cautious with auto-execution: set auto_select_threshold high (e.g., 0.8–0.9) if you prefer confirmation before actions run. 5) If you will deploy this in a shared or sensitive environment, restrict who can edit the skill's starter_path/config to avoid pointing the skill at arbitrary executables. If you want, paste the critical parts of scripts/quicker_connector.py here and I can review the exact subprocess/IO behavior line-by-line.Like a lobster shell, security has layers — review code before you run it.
automationvk97bqqer7b20ep7tmd8237q12584bt6ylatestvk97bqqer7b20ep7tmd8237q12584bt6yproductivityvk97bqqer7b20ep7tmd8237q12584bt6yquickervk97bqqer7b20ep7tmd8237q12584bt6ywindowsvk97bqqer7b20ep7tmd8237q12584bt6y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.