Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
CC-BOS: Classical Chinese Jailbreak Framework
v1.0.0CC-BOS optimizes classical Chinese adversarial jailbreak prompts, detects such attacks, and analyzes results for AI safety research and defense.
⭐ 0· 49·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (jailbreak optimization, detection, and analysis) matches the included code (attack.py, defend.py, research.py). However the registry metadata declares no required environment variables or credentials, while SKILL.md and config.json clearly expect multiple API keys (optimizer, target, judge, translator such as DEEPSEEK_API_KEY and OPENAI_API_KEY). That mismatch is an incoherence that should be resolved before trusting the skill.
Instruction Scope
SKILL.md and the scripts explicitly instruct the agent to: clone an upstream repo, run optimization loops that generate adversarial classical-Chinese prompts and call optimizer/target/judge LLMs, and optionally translate/analyze results. Those actions stay within the described research/red-team scope, but the attack mode does create and send harmful queries to remote LLM APIs (expected for the stated purpose). The defend mode optionally performs LLM-based intent analysis (also requires creds). The instructions do not appear to read unrelated secrets or system files beyond the user's workspace, but they will read/write under the user's workspace and call external APIs.
Install Mechanism
There is no formal install spec in the registry, but scripts/setup.py will git-clone the upstream repo into the user's workspace (.upstream/CC-BOS) and run pip installs (openai, anthropic, pandas, numpy, tqdm) via the environment's `uv` command. The sources are GitHub, not an unknown host, but the setup will write to disk and install Python packages — moderate-risk operations that should be inspected and run in an isolated environment.
Credentials
The toolkit legitimately requires multiple LLM API credentials (optimizer, target, judge, translator) and base URLs per config.json and SKILL.md. Those are proportional to the skill's function. The problem: the registry metadata listed no required env vars, creating a gap between claimed and actual requirements. Additionally, multiple credentials increase the blast radius if keys are reused; the skill will accept API keys via env or CLI so users must avoid exposing high-privilege keys.
Persistence & Privilege
The skill does not request always:true, does not modify other skills' configs, and does not demand elevated system privileges. It will clone code into the agent workspace and write results there, which is normal for a repo-based research skill.
What to consider before installing
This package implements a real research-grade jailbreak generator and detector and will call external LLM APIs. Before installing: 1) Be aware the skill needs API keys (optimizer/target/judge/translator) even though the registry metadata omitted them — check config.json and SKILL.md. 2) Run setup and attack scripts only in an isolated test environment or sandbox and prefer dry-run mode to avoid sending harmful queries to live models. 3) Do not use production/high-privilege API keys; create limited/test accounts or use mocked endpoints when testing. 4) Inspect the upstream repository (https://github.com/xunhuang123/CC-BOS) and the included scripts yourself; the setup script will clone that repo and pip-install dependencies. 5) If you intend to use only the defend/detection features, use --no-llm (or disable LLM calls) to avoid supplying API keys. 6) If the registry should have declared required env vars, ask the publisher to correct metadata before granting the skill access to credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk972kte5ywwwrpgww0xzhhnt0983mm4d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.