ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

本地研究资料查询

v0.1.1

统一查询本地研究资料库,默认同时搜索 AlphaPai 归档和 knowledge_bases,支持精确检索、向量检索和混合检索,并默认排除 private 资料库如 personal。

0· 157·0 current·0 all-time
by@clawdbotrr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (unified local archive query) aligns with the code: unified_query.py builds and runs per-source query commands for alphapai and knowledge_bases and merges results. Requiring local archive scripts (alphapai-scraper, knowledge_bases) is coherent with the stated purpose.
!
Instruction Scope
SKILL.md and unified_query.py instruct running local Python scripts and will import/execute code from other workspace locations (e.g., skills/alphapai-scraper/scripts/query_comments.py, knowledge_bases/kb_engine.py and analyze.run_ai_analysis). Those external scripts can read any local files, environment variables, or network endpoints; the skill text does not list or limit what those scripts may access. SKILL.md also includes a hard-coded example path (/Users/bot/.openclaw/...), which may be inaccurate and indicates assumptions about the runtime environment.
Install Mechanism
No install spec (instruction-only with bundled scripts) — nothing is downloaded from the network during install. The code does execute local scripts via subprocess.run, which is expected for a query aggregator but increases runtime risk because it delegates work to other local code.
!
Credentials
The skill declares no required env vars, yet it imports analyze.run_ai_analysis and common.load_settings from the alphapai scripts and invokes other engine scripts; those modules commonly require API keys or configuration. Because required credentials are not declared, the skill may rely on (or leak to) existing environment secrets without warning. The skill can also read/write under ~/.openclaw/data, which is logical but gives it write access to user data.
Persistence & Privilege
always is false and there is no install script that modifies other skills or global agent settings. The skill will run locally and can be invoked; autonomous invocation is allowed by platform default but is not combined with an elevated 'always' flag here.
What to consider before installing
This skill appears to do what it says (query local AlphaPai and knowledge_bases archives) but it executes and imports other local scripts that are not part of the published files. Before installing or enabling: 1) Inspect the referenced scripts (skills/alphapai-scraper/scripts/* and knowledge_bases/kb_engine.py and analyze.py) for network calls, credential use, or data exfiltration. 2) Confirm whether those modules read API keys or config files (e.g., OpenAI keys) — the skill does not declare required env vars. 3) Test the skill in a sandbox account or environment first, and ensure private scopes are correctly excluded by default. 4) Correct the hard-coded example path in SKILL.md if needed. If you cannot review the referenced code or do not trust the other workspace components, treat this skill as potentially risky.

Like a lobster shell, security has layers — review code before you run it.

latestvk9708vm9ds71kxjp60ayeqc1p1832ftr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments