ClawHub

Volcengine Ai Entry Ark

v1.0.0

Entry skill for Volcengine ARK model invocation and routing. Use when users ask to start with ARK, need request templates, endpoint setup, model routing, or authentication troubleshooting.

0· 858·0 current·0 all-time
by@cinience
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, the prompt archetype (routing ARK requests), and the included request template are coherent: the skill's stated purpose (helping with Volcengine ARK invocation, templates, routing, and troubleshooting) matches the SKILL.md content.
!
Instruction Scope
SKILL.md explicitly instructs the agent to collect ARK_API_KEY and to run a curl against an ARK endpoint. That is within the claimed scope, but the example uses the host 'ark.cn-beijing.volces.com' (note: 'volces.com' looks like a typo or malicious domain versus expected 'volcengine.com' or an official volcengine domain). The instructions do not request or read arbitrary local files or other credentials, but they do guide the agent to collect a sensitive API key and send it to an endpoint whose hostname should be verified.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk and no third-party packages are pulled in, which lowers installation risk.
!
Credentials
SKILL.md lists ARK_API_KEY and endpoint ID as inputs to collect, but the skill metadata declares no required environment variables or primary credential. This mismatch is an incoherence: the skill will prompt for/expect a sensitive API key but the registry metadata does not advertise or gate that need. Requesting a single ARK API key is proportional to the stated purpose, but the omission in metadata and the suspicious endpoint hostname raise concerns about where a key would be transmitted.
Persistence & Privilege
No always:true, no config paths, no installs, and no modification of other skills' configs. The skill is user-invocable and can be invoked autonomously (platform default), which is expected for skills of this type.
What to consider before installing
The skill's content itself looks like a normal ARK request helper, but there are two red flags you should address before entering secrets: (1) the SKILL.md asks you to provide ARK_API_KEY yet the registry metadata lists no required env/primary credential — confirm with the publisher why the metadata omits this and whether the skill will store or transmit the key; (2) verify the example endpoint hostname (ark.cn-beijing.volces.com). That domain does not match expected volcengine hostnames and could be a typo or a malicious endpoint. Only provide your real API key after you confirm the correct official endpoint and the publisher's identity (or test with a revoked/dummy key first). If you can't verify the source, do not enter secrets and prefer using official Volcengine docs or an official SDK/integration instead.

Like a lobster shell, security has layers — review code before you run it.

latestvk975js1cc0rk7724jbrtca8adh80z752

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments