ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Weekly Menu 每周菜单

v1.0.0

Generate a weekly meal plan with images, recipes, and shopping lists. Searches Xiaohongshu (小红书) for trending seasonal recipes, creates a beautifully formatt...

0· 116·0 current·0 all-time
by@beginnerrudy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The declared purpose (generate weekly menus from Xiaohongshu and store them in Feishu) aligns with the instructions: searching Xiaohongshu via agent-reach, composing content, downloading images, and creating Feishu docs. However, the SKILL.md expects access to Feishu app credentials and a receipts folder token (platform config and MEMORY.md) while the skill metadata declares no required env/config paths or credentials — that is an inconsistency.
!
Instruction Scope
The instructions explicitly tell the agent to read platform files: ~/.openclaw/openclaw.json (channels.feishu.accounts.default) for app_id/app_secret and MEMORY.md for the receipts folder token. They also read and write local profile/history files (meals/profile.yaml, meals/history.yaml) and store downloaded images in workspace/tmp/dishes/. Reading hidden platform config and memory files is outside the skill's obvious scope and can expose other channels' secrets or tokens.
Install Mechanism
Instruction-only skill with no install spec or third-party downloads. No code is written to disk by an installer, which reduces risk from supply-chain installs.
!
Credentials
The skill metadata declares no required environment variables or credentials, but the workflow requires Feishu app_id/app_secret and a receipts folder token (from platform config/MEMORY.md) and uses agent-reach Xiaohongshu channel. Access to those credentials is proportionate to creating documents in Feishu, but the absence of declared required config/credential fields is inconsistent and could lead to unintentional exposure of platform secrets.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request permanent/always-on presence. It will create and modify documents in the user's Feishu drive (expected for its function) but does not request modifications to other skills or system-wide settings.
Scan Findings in Context
[scanner.no_findings] expected: No regex scan findings — expected because this is an instruction-only skill with no executable code. Absence of findings does not imply safety; main surface is SKILL.md instructions.
What to consider before installing
This skill will search Xiaohongshu (via the agent-reach channel), download images, and create Feishu documents. Before installing: 1) Confirm you want the skill to read/write meals/profile.yaml and meals/history.yaml in the agent workspace. 2) Understand that it expects to read Feishu credentials and folder tokens from platform files (~/.openclaw/openclaw.json and MEMORY.md) — verify what these files contain and whether you are comfortable a skill will access them. 3) Ensure the Feishu channel/account used is limited (create a dedicated app/service account with only the required doc/drive scopes) so a compromised skill can't access unrelated resources. 4) If you prefer stricter disclosure, ask the author to declare required config paths/credentials in the skill metadata (app_id/app_secret and receipts folder token) or modify the workflow to accept explicit, scoped credentials from the user at runtime. If you cannot verify or restrict the Feishu credentials and MEMORY.md contents, treat this skill as higher-risk and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

chinese-foodvk97b0vb225z9ph1tc43bsva7dx832njpcookingvk97b0vb225z9ph1tc43bsva7dx832njpfeishuvk97b0vb225z9ph1tc43bsva7dx832njplatestvk97b0vb225z9ph1tc43bsva7dx832njpmeal-planningvk97b0vb225z9ph1tc43bsva7dx832njpxiaohongshuvk97b0vb225z9ph1tc43bsva7dx832njp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments