Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
仙宫云GPU管家
v1.0.1仙宫云GPU云服务平台API集成工具,支持实例管理、私有镜像管理、账号管理等全量操作;当用户需要查询或管理仙宫云GPU实例、操作私有镜像、查询账户余额或充值时使用
⭐ 0· 86·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, SKILL.md, references, and the Python client all consistently implement GPU instance, image, and account management for the stated 仙宫云 API. The operations implemented match the documented API. However, the registry metadata declares no required credentials or config paths while the code requires a local config/config.yaml with an access_token — an incoherence between claimed requirements and the actual need.
Instruction Scope
SKILL.md instructs the agent to run the included script for all actions and documents parameters and examples. The instructions stay within the stated purpose (calls only the provider API). A notable instruction claim — '已在技能配置中完成授权' — is misleading: the bundled config file contains a placeholder token and the script will raise an error if a real token is not provided.
Install Mechanism
No install spec is provided (instruction-only + included script). There is no external download, package install, or extracted archive; risk from install mechanism is low.
Credentials
The skill requires an API access token but the registry metadata lists no required env vars or config paths. The implementation expects a plaintext token in config/config.yaml inside the skill bundle. This is disproportionate to the metadata and carries a security/usability concern: embedding or instructing users to place sensitive tokens in a plain file inside the project is risky and should be declared explicitly (prefer platform secret storage or environment variables).
Persistence & Privilege
The skill is not always-enabled and does not request persistent elevated privileges or modify other skills. It runs on demand via the provided script. Autonomous invocation is allowed by default but is not combined with other high-risk factors here.
What to consider before installing
This skill appears to be an API client for 仙宫云 and implements the advertised operations, but there are a few issues to consider before installing:
- Credential handling mismatch: the registry metadata does not declare any required credentials or config paths, yet the included script requires config/config.yaml with an access_token. The provided config file contains the placeholder "YOUR_ACCESS_TOKEN_HERE" — you must replace it with a real token for the skill to work. Treat this as sensitive data.
- Do not store secrets in repository files if you can avoid it. Prefer injecting the API token through your platform's secret manager or environment variables rather than embedding it in a plaintext config inside the skill bundle.
- Verify the API endpoint (https://api.xiangongyun.com) is the legitimate vendor endpoint you expect. If you don't recognize/ trust the skill's source (owner ID unknown, no homepage), exercise extra caution.
- Because the script issues network requests using the token, only grant the minimum-scoped token necessary and consider testing the skill from a sandboxed account or environment first.
- If you need stricter assurance, ask the publisher for: (1) confirmation of where the token should be stored (platform secret vs. file), (2) a signed/official source or homepage, and (3) justification for any persistent storage of credentials.
Given the clear mismatch between declared metadata and actual requirements, treat this as suspicious until you confirm the credential handling and source provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk9770f5dbbwsmhayft09ygyjj983h797
License
MIT-0
Free to use, modify, and redistribute. No attribution required.