ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

kmdr - Kmoe Manga Downloader

v1.0.0-a0

Kmoe 漫画下载器。支持搜索漫画、下载漫画、管理凭证池等。当用户想要从 Kmoe 网站下载漫画、搜索漫画、管理下载账号配额时触发此 skill。

0· 54·0 current·0 all-time
by@chrisis58
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the runtime instructions: the SKILL.md documents using the 'kmdr' CLI (kmoe-manga-downloader) to search, download, and manage account pools on Kmoe. There are no unrelated requirements (no cloud credentials, no unrelated binaries).
Instruction Scope
Instructions stay within the downloader's scope (search, download, status, pool, config). However the skill explicitly permits the agent to perform login on behalf of the user and warns credentials will appear in the conversation; that is within the stated purpose but raises a sensitive-data exposure risk. The SKILL.md also recommends running 'pip install --pre' for the CLI (see install note).
Install Mechanism
The skill is instruction-only (no registry install). It instructs users to 'pip install --pre "kmoe-manga-downloader>=1.4.0.a0,<2.0.0"'. Because installation is manual (not performed by the skill), risk is limited, but asking to install a pre-release package without a homepage or trusted source increases trust burden — verify the package/project before installing.
Credentials
The skill declares no required environment variables or config paths. The documented behavior requires storing cookies/credentials locally (kmdr manages a credential pool) which is proportional to a downloader that needs account authentication. There are no unrelated secrets requested by the skill itself.
Persistence & Privilege
No 'always: true' flag, no install-time modifications or requests to alter other skills or system-wide settings. The skill does permit autonomous invocation by default (platform normal), but it does not request elevated persistence or privileges.
Assessment
This skill appears to be what it says: a wrapper/guide for the kmdr CLI. Before using: 1) Prefer manual login in your terminal rather than pasting username/password into the chat — the skill warns that credentials will appear in conversation. 2) If you install the CLI, verify the PyPI package/project repository (the SKILL.md suggests installing a pre-release) and consider installing in a virtualenv. 3) Be aware kmdr stores cookies/credentials locally — check where those files live and secure them. 4) If you must let the agent perform login, only do so in a trusted environment and be prepared that credentials may be retained in chat history.

Like a lobster shell, security has layers — review code before you run it.

latestvk97212zzyt789xm8krn9emqea584f7rvprevk97212zzyt789xm8krn9emqea584f7rv

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments