ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Novai360 跨境电商智能分析

v1.0.2

基于NOVAI360,提供跨境电商市场、产品、竞争及财务分析,支持品牌出海战略制定,每日限10次免费调用。

0· 70·0 current·0 all-time
by@chopinau
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code (index.js) and manifest match the description: they POST user queries to a NOVAI360 /chat endpoint and fetch /skills. Requiring a remote API is coherent for an analysis service. Minor incoherences: manifest version is 2.0.0 while registry lists 1.0.2, and SKILL.md mentions '每日限10次免费调用' whereas manifest.limits.dailyCalls is 100.
!
Instruction Scope
The runtime instructions and index.js will transmit the user's input and the provided 'context' blob to an external API (default https://api.novai360.com). SKILL.md asserts '不存储敏感用户信息' but there is no technical control enforcing that; any sensitive data in input/context could be sent off‑platform.
Install Mechanism
No install spec or third‑party downloads are present. The skill is instruction/code-only (index.js) and does not write files or run installers — low install risk.
!
Credentials
No credentials are requested (authentication: none) and NOVAI360_API_URL is optional, which is proportional. However, the skill's behavior (sending potentially sensitive context to an external service without auth) creates a privacy/credential‑exfiltration risk in practice. The skill asks for no secrets but will forward whatever context the agent provides.
Persistence & Privilege
always is false and the skill does not request persistent system privileges or modify other skills. It runs as a normal invocable skill.
What to consider before installing
This skill delegates analysis to a remote API (default https://api.novai360.com) and will POST both your query and the agent 'context' to that endpoint with no authentication. The SKILL.md claims data aren’t stored, but there is no technical guarantee here. Before installing: avoid sending passwords, secrets, or other sensitive material through this skill; verify the publisher and service privacy policy if possible; note the manifest/README inconsistencies (daily limits and version). If you need tighter control, set NOVAI360_API_URL to a controlled proxy that logs/filters data, or test the skill thoroughly with non‑sensitive queries first.
index.js:3
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

apivk972ey8m1wyge1sddspn22xhzs8416cee-commercevk972ey8m1wyge1sddspn22xhzs8416celatestvk9769cnyhxx2a4cbjcz2kxyxv9843fs9litechatvk972ey8m1wyge1sddspn22xhzs8416ceopenclawvk972ey8m1wyge1sddspn22xhzs8416ce

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments