ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cloudnet AI Diagnostics

v1.0.0

Cloudnet AI Diagnostics针对无线场景下终端体验差、网卡、无法接入 WiFi 等问题进行排障的技能

0· 15·0 current·0 all-time
byCloudnet@cloudnet-skills
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md describes Cloudnet diagnostics and the runtime steps call cloudnet-mcp via the mcporter CLI using a CLOUDNET_API_KEY — this is coherent. However, registry metadata lists no required env vars while also declaring a primaryEnv (CLOUDNET_API_KEY), and the required-bins list includes 'mcporter' although the instructions tell the user to install mcporter. These metadata/instruction mismatches reduce confidence in correctness.
Instruction Scope
The instructions stay within the stated purpose: extract location/client/time from the user, call mcporter cloudnet-mcp APIs to get shop IDs and run executeStaDiagnosis, then analyze results and present conclusions. The skill does not instruct reading unrelated system files or exfiltrating data beyond the Cloudnet platform.
Install Mechanism
This is an instruction-only skill (no install spec), which is low platform risk. But the runtime doc tells the user/agent to run 'npm install -g mcporter' (a global package install that writes to disk and may require elevated permissions). The platform metadata did not supply an automated, auditable install step — the install is manual/out-of-band.
!
Credentials
The skill legitimately needs CLOUDNET_API_KEY and optionally CLOUDNET_BASE_URL to call Cloudnet APIs. However, the registry summary contradicted the SKILL.md by listing no required env vars while primaryEnv is set to CLOUDNET_API_KEY. That mismatch is suspicious and should be clarified before providing credentials.
Persistence & Privilege
The skill is not always-enabled and does not request special platform persistence. It can be invoked by the agent (normal default). There is no evidence it modifies other skills or system-wide configuration.
What to consider before installing
This skill appears to be a legitimate Cloudnet Wi‑Fi diagnostics helper, but there are a few red flags to check before installing or giving it credentials: (1) confirm the owner and verify the official mcporter npm package (to avoid installing a malicious package); (2) note that SKILL.md requires CLOUDNET_API_KEY, but the registry metadata does not list required env vars — clarify this mismatch and only provide a scoped API key with minimal privileges; (3) installing mcporter globally (npm install -g) may require elevated rights—consider installing in a controlled environment or container; (4) ask whether the Cloudnet API key will be stored or transmitted by the agent and where logs/diagnostic data will be sent; (5) if you proceed, rotate the API key after use and restrict its scope. If you need higher assurance, request a published homepage/source, an install spec that pulls mcporter from an audited source (e.g., official registry entry or GitHub release), or run the tool in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk971x05y4t9np88dbc46zkf3w584n0r4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnpm, mcporter
Primary envCLOUDNET_API_KEY

Comments