ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Eyun Freight

v1.1.0

Query ocean freight rates and search shipping prices via the Eyun freight assistant

0· 35·0 current·0 all-time
by@bobofrivia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (querying Eyun freight rates) match the declared requirements: curl and an upstream base URL plus a service token (EYUN_WHALE_IDENTITY). These are expected for a proxy-to-upstream assistant integration.
!
Instruction Scope
Runtime instructions require the agent to read the skill configuration (openclaw config get skills.entries.eyun_freight) and then POST the user's original question verbatim to EYUN_BASE_URL/chat/sync with the whale-identity token. This is consistent with the purpose but has privacy implications: the skill explicitly forbids confirmation and mandates sending raw user text to the upstream host, which may leak sensitive data if the endpoint is untrusted. The SKILL.md also forbids any local summarization or alteration of upstream responses.
Install Mechanism
Instruction-only skill with no install spec and no code files — lowest-risk installation footprint. It only requires the curl binary to be present.
Credentials
Only two environment values are required (EYUN_BASE_URL and EYUN_WHALE_IDENTITY), with the token declared as the primary credential. That is proportionate to contacting an external service. Ensure the token is scoped, stored securely, and not reused elsewhere.
Persistence & Privilege
Skill does not request permanent/always-on inclusion and does not modify other skills or system settings. It reads its own skill config entry at runtime, which is normal for credential retrieval.
Scan Findings in Context
[no-findings] expected: The static regex scanner found no code to analyze because this is an instruction-only skill (SKILL.md + README). The primary security surface is the SKILL.md instructions, not code.
Assessment
This skill will forward the user's raw query (including any personal or sensitive data) to whatever service is configured at EYUN_BASE_URL and include the EYUN_WHALE_IDENTITY token in the request. Only enable it if you (or your org) control or fully trust the configured upstream host and if the token is limited in scope. Prefer an HTTPS endpoint, avoid putting highly sensitive data in queries, and consider requiring an explicit confirmation step before sending messages that might contain PII. Also verify that the EYUN_WHALE_IDENTITY token is stored securely in your OpenClaw config and rotated/limited as appropriate.

Like a lobster shell, security has layers — review code before you run it.

latestvk973kk3kvr77mmqwjm162pat3184cvav

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binscurl
EnvEYUN_BASE_URL, EYUN_WHALE_IDENTITY
Primary envEYUN_WHALE_IDENTITY

Comments