ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

My

v1.0.0

Generates daily tech news HTML reports from IT之家 and 快科技 with iOS liquid glass style, full text, images, and categorized sections.

0· 28·0 current·0 all-time
by@choksta
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Description and SKILL.md state the skill will '抓取' (scrape) IT之家 + 快科技 and produce complete articles, but the shipped script (scripts/gen_html.py) does not perform any network requests or scraping. Instead it loads a local JSON and local images. Expectation mismatch: either scraping code is missing or SKILL.md is inaccurate.
!
Instruction Scope
SKILL.md instructs fetching RSS and list pages, downloading images, and constructing JSON, but runtime instruction to run python scripts/gen_html.py only builds HTML from an already-prepared JSON and image directory. The instructions ask the agent to access external sites if implemented, but the provided code will only read specific local file paths (hard-coded Windows paths). This is scope creep / inconsistency.
Install Mechanism
No install spec and only a single small Python script and a docs file are included. No remote downloads, package installs, or archive extraction are present — low install risk.
Credentials
The skill declares no required env vars or credentials (ok). However, the script hard-codes absolute Windows paths under C:\Users\choksta (DATA_FILE, IMG_DIR, OUT_FILE). That is unusual and may cause unexpected file reads/writes on a host where those paths exist; it also means the script won't work out-of-the-box elsewhere. No credentials are requested or used in code.
Persistence & Privilege
always is false and there is no install step that modifies agent/system configuration. The skill does not request persistent privileges or attempt to change other skills' settings.
What to consider before installing
This skill is inconsistent: it promises web scraping and automated collection but only includes an HTML generator that reads a local JSON and image directory. Before using it, confirm which behavior you expect: if you need automatic scraping, the scraping/downloading code is missing and must be provided or the SKILL.md should be corrected. Also edit DATA_FILE/IMG_DIR/OUT_FILE to sensible paths for your machine (the script currently points to C:\Users\choksta...). If you run the agent to perform the web fetches described in SKILL.md, be aware the agent would access external sites (IT之家 and 快科技) — verify you trust that network activity. Finally, since the script reads and writes local files, inspect or adjust paths to avoid unintended access to other user data.

Like a lobster shell, security has layers — review code before you run it.

latestvk976rteqqzcgwvj0hbsd0x3ssx8430fm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments