ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Zz Chat

v1.0.1

爪爪/钳钳 — 手机直连 OpenClaw 聊天。触发词:钳钳、爪爪、钱钱、龙虾、聊天机器人、创建爪爪、安装钳钳、打开钳钳、zz-chat。

0· 48·0 current·0 all-time
by@badxtdss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description claim a mobile→OpenClaw chat bridge. The code and instructions match that purpose (deploy CF Worker, run a local bridge that calls the 'openclaw' CLI). However the skill does not declare key operational dependencies: wrangler (Cloudflare CLI) and the local openclaw binary are required but not listed in requires.env or required binaries. The runtime also relies on an external central service (https://ai0000.cn/zz/) for registration/relay which is not mentioned in the short description or metadata — surprising for users expecting direct peer-to-peer only.
!
Instruction Scope
SKILL.md instructs the agent (and user) to install wrangler (npm -g), run 'wrangler login' (browser OAuth into the user's Cloudflare account), deploy a Worker, write and copy files under ~/.openclaw and ~/.zz, start persistent background processes (nohup python watchdog.py), and optionally create a launchd plist for auto-start. It also performs network calls to several external endpoints (ai0000.cn, badxtdss.github.io, quickchart.io, api.qrserver.com). These actions go beyond a simple 'chat helper' note: they create on-disk artifacts, background services, and interact with third-party servers.
Install Mechanism
There is no formal install spec (instruction-only), which lowers packaged-install risk. But the runtime instructions copy provided scripts into user workspaces and ask to run npm -g wrangler (downloads from npm). The skill's files themselves are included in the package and will be written into user directories by the instructions. No opaque URL downloads are used in the install steps, but running npm install -g and launching scripts written into your home directory is an install-time action the user should review.
!
Credentials
The skill requests no declared env vars, yet runtime behavior requires credentials and access it didn’t declare: interactive Cloudflare OAuth (wrangler login) and access to the local 'openclaw' CLI and its data. The bridge clears proxy env vars and may read/write local files and logs (~/.zz, ~/.openclaw/workspace, ~/Library/LaunchAgents). Messages and registration are routed through a central server (ai0000.cn) by default, which will learn user IDs and relay messages; this external dependency and network access are not represented in declared requirements.
!
Persistence & Privilege
Instructions create persistent artifacts and services: files under ~/.zz and ~/.openclaw, a long-running watchdog/bridge pair started with nohup, and an optional launchd plist that runs at login and keeps the watchdog alive. The skill is not 'always: true', but it does instruct the agent/user to install persistent background processes and autorun entries — this raises the blast radius if the bridge/watchdog are later modified or compromised.
What to consider before installing
This skill will deploy a Cloudflare Worker under your Cloudflare account (it runs 'wrangler login' and 'wrangler deploy'), start a persistent local bridge process that invokes your local 'openclaw' CLI, write files under ~/.zz and ~/.openclaw, and by default registers/relays via https://ai0000.cn/zz/ (a central server). Before installing: 1) Only proceed if you trust the author and the central server (ai0000.cn). Messages and assigned IDs may be routed through that server. 2) Inspect the included scripts (bridge.py/bridge.js/watchdog.py/worker.js) yourself — they will be copied into your home and run. 3) Be prepared to grant Cloudflare OAuth and ensure you understand what the Worker will do once deployed. 4) Confirm you have and trust the local 'openclaw' CLI (it will be invoked by the bridge) and consider running the bridge manually first instead of installing the launchd plist. 5) If you want tighter control, replace the default API/central-server URL with a server you control, or run the bridge/watchdog inside an isolated VM/container rather than on your main workstation. 6) Note missing declarations: wrangler and openclaw are required but not declared; verify versions and sources before running npm install -g or other privileged installs.
bridge.js:20
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dx0agazv3ef0k208frrcahs83z3mj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments