Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
donglun-cli
v1.0.0在东方热线论坛(东论)发帖、回帖、浏览热帖、查看帖子和回复。支持从环境变量或配置文件读取 token,无需登录。
⭐ 0· 63·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe posting/browsing on 东方热线 (东论). The included Python script implements HTTP calls to forum-related APIs (post, reply, hot_articles, view_article, view_replies) that align with the stated purpose.
Instruction Scope
SKILL.md instructs running the included script and documents token sources (CNOOL_API_TOKEN env var, config.json, or -k CLI arg). The instructions and allowed-tools (Read, Bash(python:...)) are scoped to running the script. However the SKILL.md and script will read/write a local config.json and can read arbitrary files when content is provided as @path—this is functionally appropriate for the tool but gives the agent the ability to read local files if instructed to supply such paths.
Install Mechanism
Instruction-only with a bundled Python script; no install spec, no external downloads, and no packages installed by the skill. Low install risk.
Credentials
The script and SKILL.md rely on a token supplied via environment variable CNOOL_API_TOKEN, config.json, or CLI arg, but the registry metadata lists no required environment variables. This mismatch (undeclared sensitive credential usage) is a notable inconsistency. The script will send the token in an Authorization header to dzapi.cnool.net and can optionally save the token to a local config.json file.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It may write its own config.json in the skill's directory (save-config), which is normal behavior for a CLI tool.
What to consider before installing
This skill appears to implement the forum posting/browsing functionality it advertises, but note these points before installing:
- Token handling: The script requires a forum token (CNOOL_API_TOKEN) though the registry metadata didn't declare any required env vars. The token will be sent to API endpoints at dzapi.cnool.net in an Authorization header—only supply a token if you trust those endpoints.
- Local file I/O: The script can save the token to config.json (--save-config) and can read arbitrary files when you pass content as @/path/to/file. Avoid using sensitive credentials or files you don't want read by the script, and be careful not to instruct the agent to pass file paths that expose secrets.
- Source provenance: There is no homepage or known source repository. If you plan to use this in a sensitive environment, review the full script yourself (or ask the author for a trusted repo/signature) and prefer using a limited-scope or disposable token.
- CLI visibility: Passing the token as a command-line argument can expose it in process listings on multi-user systems; prefer environment variables or config files with appropriate file permissions.
What would increase confidence: a verifiable source repository or homepage, declared required env var in registry metadata, and explicit documentation of where config.json is written at runtime. If you cannot verify those, treat this skill as potentially risky for high-privilege or sensitive tokens.Like a lobster shell, security has layers — review code before you run it.
latestvk97dv810wtdk1wym0hzrxmkaqh84h7nh
License
MIT-0
Free to use, modify, and redistribute. No attribution required.