ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Meme Collector 热梗收集器

v1.0.0

自动搜集最新网络热梗并写入 Dify 知识库。用于定期更新热梗数据库,支持去重。触发词:"收集热梗"、"更新热梗"、"热梗入库"、"meme collector"。当用户要求搜集/更新/补充网络热梗到 Dify 知识库时使用此 skill。

0· 908·4 current·4 all-time
by@c4chuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and included script clearly require a Dify DATASET_ID and API_KEY (and optionally a proxy) to list and upload documents, but the registry metadata declares no required environment variables or primary credential. That mismatch is incoherent: a dataset-writing skill should have its credential requirements declared.
Instruction Scope
Runtime instructions use web_search and web_fetch to scrape articles and build structured Markdown entries, then call the provided scripts to upload. This is consistent with the stated purpose. However the instructions permit scraping arbitrary pages and instruct the agent to batch-upload scraped content to Dify; you should ensure content is reviewed before upload (copyright/sensitive-data risk). The SKILL.md also instructs asking the user for credentials if not provided, which is explicit but relies on the user to supply secrets.
Install Mechanism
No install spec — instruction-only plus a small helper script. No network download/install of third-party binaries or archives. The included Python script is readable and interacts only with api.dify.ai, so install risk is low.
!
Credentials
The skill needs Dify credentials (DATASET_ID, API_KEY) and optionally a proxy at runtime, but none of these are declared in the registry metadata. Requesting an API key for the service it uses is proportionate, but the omission in metadata reduces transparency and could cause accidental credential exposure when the agent prompts for them.
Persistence & Privilege
always:false and no requests to modify other skills or system-wide configuration. The skill does not request permanent presence or elevated privileges.
What to consider before installing
This skill appears to do what it says (scrape public pages and write structured entries to a Dify dataset), but the registry metadata doesn't list the Dify credentials it requires — that's a transparency issue. Before installing: (1) verify the skill's source or run it in a sandbox/test agent; (2) only provide a Dify API key with the minimal scope or a throwaway/test dataset ID; (3) consider requiring a manual review step before batch upload to avoid publishing copyrighted or sensitive content; (4) confirm you trust the agent's web_fetch/web_search tools and their network access; (5) if you need stronger assurance, ask the publisher to update the metadata to declare DATASET_ID/API_KEY and to provide a homepage or source provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk971r2qb30p35h1j179hvzbec580z2a0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments