ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nova Skill Evolution Tracker — 技能进化追踪系统

v1.0.0

Nova 炼化技能的自我进化追踪系统。 功能:版本记录 · 月度信息源监测 · 差异分析 · 更新建议通知。 适用场景:监控已炼化专家的最新动态,自动检测需要更新的内容, 防止 SKILL.md 随时间过时。 触发词:「skill更新」「版本记录」「专家动态」「技能进化」「监测」

0· 67·0 current·0 all-time
byCatPluZ@catplus-eric

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for catplus-eric/skill-evolution-tracker.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Nova Skill Evolution Tracker — 技能进化追踪系统" (catplus-eric/skill-evolution-tracker) from ClawHub.
Skill page: https://clawhub.ai/catplus-eric/skill-evolution-tracker
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install skill-evolution-tracker

ClawHub CLI

Package manager switcher

npx clawhub@latest install skill-evolution-tracker
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to monitor external blogs/social media, run LLM-based diff analysis, and send notifications to an approver (Eric). However, no environment variables or credential requirements are declared for accessing LLM APIs or sending messages (enterprise WeChat). The presence of code that reads other skills' SKILL.md files (/workspace/skills/<skill_id>/SKILL.md) is coherent with diffing, but the notification and LLM integration called out in SKILL.md are not reflected in the declared environment or config.
!
Instruction Scope
SKILL.md instructs monthly checks of external sources, generation of LLM prompts, and pushing reports to enterprise WeChat. The script includes LLM prompt construction but the visible code does not perform network fetching of the listed URLs nor show LLM API calls or notification logic (script was truncated). The instructions also direct reading SKILL.md files for other skills in the workspace — that is expected for this purpose, but it implies access to all skills' content which should be explicit and consented to.
Install Mechanism
No install spec is present (instruction-only plus included script). That minimizes install-time risk since nothing is fetched or written by an installer. The repository contains a Python script and JSON history files; no external installer or remote download URLs are declared.
!
Credentials
The skill needs network access, LLM API credentials, and credentials/credentials for enterprise WeChat (to 'push' reports), but requires.env and primary credential fields are empty. That mismatch means either credentials are expected to exist elsewhere (not declared) or the skill is incomplete. Requiring unrestricted read access to /workspace/skills (to read other SKILL.md files) is reasonable for a tracker, but credentials for external services should be explicitly declared and scoped.
Persistence & Privilege
always is false and the skill appears to only write its own history and reports under its own subpaths (history/, reports/). It does read other skills' SKILL.md files in /workspace/skills which is required for its stated function; no evidence it attempts to modify other skills' configs or system-wide settings.
What to consider before installing
This skill appears to be an incomplete or partially-implemented monitoring tool rather than clearly malicious, but there are important inconsistencies you should resolve before installing it in a live environment: - Missing credential declarations: The SKILL.md and comments describe calling an LLM for diff analysis and sending notifications via enterprise WeChat, but the package does not declare or request API keys or messaging credentials. Ask the author which environment variables or secrets are required (LLM_API_KEY, WECHAT_APPID/SECRET or webhook, etc.) and insist they be explicitly documented. - Confirm network behavior: The script lists many external URLs to be scraped (Twitter/LinkedIn/blogs). Verify exactly how fetching will be performed (HTTP clients), whether JavaScript-rendered pages are needed, and whether rate-limiting / robots.txt / access policies are respected. If you run it, run in a network-restricted or sandboxed environment until you review full network calls. - Review the rest of the script: The provided script was truncated; ask for the full source to confirm there are no hidden exfiltration paths, undisclosed endpoints, or arbitrary subprocess executions. Pay attention to any code that would POST data to third-party endpoints or read files outside /workspace/skills. - Least privilege and secrets handling: If you approve running it, provide only scoped credentials (e.g., a webhook token limited to the notification channel) and ensure any LLM API key has usage limits and monitoring. Avoid giving it access to broad cloud or company credentials. - Test in isolation: Run the tool in a sandboxed workspace with a small set of test skills and monitor network traffic and filesystem writes before enabling scheduled runs. If you can obtain the full script (untruncated) and a clear list of required environment variables and endpoints, that information would likely move this assessment toward 'benign' if everything is narrowly scoped and documented.

Like a lobster shell, security has layers — review code before you run it.

auto-upgradevk976wnjztxbrgntcqaadm5r5x584wbsfevolutionvk976wnjztxbrgntcqaadm5r5x584wbsflatestvk976wnjztxbrgntcqaadm5r5x584wbsfnovavk976wnjztxbrgntcqaadm5r5x584wbsfskill-managementvk976wnjztxbrgntcqaadm5r5x584wbsfversion-controlvk976wnjztxbrgntcqaadm5r5x584wbsf
67downloads
0stars
1versions
Updated 1w ago
v1.0.0
MIT-0
CatPluZ@catplus-eric
auto-upgradeevolutionlatestnovaskill-managementversion-control
Download

Skill Evolution Tracker · 技能进化追踪器

"最好的 Skill 不是一次炼完就完事的,是随着专家一起进化的。"

身份激活

我是谁: Nova Skill 进化系统的核心组件,一个自动化的 Skill 版本管理和更新监测工具。

我的职责:

  1. 记录每个 Skill 的版本历史(history/)
  2. 每月检查一次所有专家的最新信息源
  3. 生成差异分析报告
  4. 推送更新建议给 Eric 审批

激活条件: 每次 Nova 收到关于"Skill 更新"、"版本管理"、"专家动态"相关任务时激活。

核心功能

功能一:版本记录

每个 Skill 的版本历史存储于:
/workspace/skills/skill-evolution-tracker/history/skill_versions.json

格式:
{
  "skills": {
    "<skill_id>": {
      "version": "1.0.0",
      "last_updated": "2026-04-15",
      "publish_code": "k97c25kvbwx58nghs4eaa5k9sn84w0m3",
      "changelog": [
        {
          "version": "1.0.0",
          "date": "2026-04-15",
          "change_type": "initial",
          "change_summary": "...",
          "approved_by": "Eric"
        }
      ]
    }
  }
}

功能二:月度监测

每月1日自动运行:
  python3 /workspace/skills/skill-evolution-tracker/scripts/skill_monitor.py --all

检查内容:
  ① 所有专家的最新官方博客/文章
  ② 社交媒体最新发言(LinkedIn/Twitter)
  ③ 公开演讲/采访/播客内容

判断逻辑:
  → 有重大新观点 → 标记为 major,需要 Eric 审批
  → 有增量补充 → 标记为 minor,生成 diff 报告
  → 无变化 → 记录检查日期,继续监控

功能三:差异分析(Diff Report)

检测到更新后,生成报告至:
/workspace/skills/skill-evolution-tracker/reports/

报告内容:
  ## [Skill名称] 进化报告 - YYYY-MM-DD
  
  ### 检测到的变化
  - 变化点1
  - 变化点2
  
  ### 当前版本 vs 新内容对比
  [diff摘要]
  
  ### 更新建议
  - 建议更新类型:major / minor
  - 需要修改的章节:...
  
  ### Eric审批状态
  - [ ] 已批准,同意更新
  - [ ] 需要讨论
  - [ ] 暂不更新

功能四:自动通知

月度检查完成后:
  → 生成报告 → 通过企业微信通知 Eric
  → 消息格式:
    【Skill进化提醒 📡】
    有N个技能可能需要更新:
    ① Rau - 新增观点(需要你审批)
    ② Naval - 无变化(已检查)
    ③ 守拙 - 增量补充(diff报告已生成)

版本更新规范

版本号格式:major.minor.patch

major(主版本):
  → 专家核心心智模型发生重大变化
  → Eric 必须审批

minor(次版本):
  → 新增观点/案例/表述
  → Eric 审批后更新

patch(补丁版本):
  → 文字修正/格式调整
  → 自动更新(无需审批,但记录日志)

召唤方式

  • 「检查Skill更新」
  • 「Skill版本」
  • 「专家动态」
  • 「哪个Skill需要更新了」
  • 「Skill进化报告」

Skill Evolution Tracker v1.0 | Nova Group A | 2026-04-15

Comments

Loading comments...