ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CloudPlus

操作云加(CloudPlus)企业通讯应用。当用户需要通过云加发消息、发文件、搜索联系人、查聊天记录、搜索群聊、搜索文件、打开应用或链接时触发。关键词:云加、发消息、发文件、聊天记录、搜索联系人、群聊、轻应用。

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 100 · 0 current installs · 0 all-time installs
byyb1222@billyang1222
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is an instruction-only wrapper around a CLI (mcp-cloudplus). Requiring node/npm and describing commands to send messages, files, search contacts, open apps, and fetch chat history is coherent with the stated CloudPlus integration purpose. Minor note: the SKILL.md checks for a binary named `mcp-cloudplus` but installs an npm package named `cloudplus-mcp-server` (this is plausible but worth verifying the package->binary mapping).
Instruction Scope
The instructions tell the agent to check for Node and the mcp-cloudplus binary, and to run various mcp-cloudplus commands. They also instruct installing the npm package if missing and to check file existence before sending. The scope stays within the CloudPlus use case, but it grants the agent permission to install and execute third-party code at runtime and to access local files when sending files or reading paths.
Install Mechanism
There is no formal install spec in the registry, but the SKILL.md directs a runtime `npm install -g cloudplus-mcp-server`. Installing a global npm package will download and execute third-party code from the npm registry; this is a moderate-risk action and should be verified (package reputation, source, and code) before allowing automatic installation.
Credentials
The skill requests no environment variables or credentials. That is proportionate to a local CLI-based integration which appears to rely on the CloudPlus desktop client for authentication.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. However, its runtime instructions perform a global npm install, which creates a persistent system-wide binary. This is a side-effect outside the skill metadata and should be considered by the user/administrator.
Assessment
This skill is coherent with its stated purpose but asks the agent to install a global npm package at runtime, which downloads and runs third-party code. Before installing or allowing automatic installation: 1) Verify the npm package (cloudplus-mcp-server) on npmjs.org or the vendor's site and confirm it actually provides the mcp-cloudplus binary; 2) Inspect the package contents or source repo if possible; 3) Prefer to install the CLI yourself (or in a sandbox/container) rather than allowing the agent to run `npm install -g`; 4) Be aware the CLI can read local file paths when sending files—do not allow sending sensitive files without explicit consent; 5) If you don't trust the package or cannot verify it, decline installation and ask for a vetted integration from your CloudPlus administrator.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk97dhymn9nase8mcy24v1hzyv1834zm4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npm

SKILL.md

CloudPlus Skill

环境准备

在执行任何操作前,按以下顺序检查:

第一步:检查 Node.js 是否安装

node --version

如果命令不存在,告知用户先安装 Node.js(https://nodejs.org),安装完成后再继续。

第二步:检查 mcp-cloudplus 是否安装

which mcp-cloudplus

如果命令不存在,执行安装:

npm install -g cloudplus-mcp-server

安装完成后继续执行用户请求。

命令列表

所有命令输出 JSON,格式为 {"success":true,"data":{...}}{"success":false,"error":"..."}

发送消息

mcp-cloudplus send-text --to <用户名或群名> --message <内容>

发送文件

mcp-cloudplus send-file --to <用户名或群名> --file <文件路径>

发送之前先确认完整路径,并检查文件是否存在

搜索联系人

mcp-cloudplus search-user <关键词>

支持姓名、手机号模糊搜索,最多返回 50 条。

搜索群聊

mcp-cloudplus search-group-chat <关键词>

搜索聊天文件

mcp-cloudplus search-file <关键词>

搜索聊天消息

mcp-cloudplus search-message <关键词>

搜索轻应用

mcp-cloudplus search-light-apps <关键词>

获取聊天记录

mcp-cloudplus get-chat-history --username <用户名或群名> --start <YYYY-MM-DD> [--end <YYYY-MM-DD>]

--end 不填默认为当前时间。

获取收藏内容

mcp-cloudplus get-collect-content

在云加中打开链接

mcp-cloudplus open-url <url>

在云加中打开轻应用

mcp-cloudplus open-app <应用名>

启动云加

mcp-cloudplus open-cloudplus

错误处理

  • 找不到管道路径文件 → 提示用户确认云加桌面客户端是否已启动
  • success: false 且其他错误 → 将 error 字段内容告知用户
  • 命令不存在 → 重新执行安装步骤

操作流程

  1. 检查 mcp-cloudplus 是否安装,未安装则安装
  2. 执行对应命令
  3. 解析 JSON 结果
  4. 用自然语言向用户反馈结果,不要把原始 JSON 直接展示给用户

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…