ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apifox

v0.1.0

提供公开YApi产品及开源文档的功能摘要、目录提取和开源链接汇总,支持轻量信息整理与检索。

0· 148·0 current·0 all-time
byClawKK@codekungfu
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The package metadata names the skill 'Apifox' while SKILL.md registers a 'YApi' skill (yapi-hot-trend) and points to yapi.pro. Both relate to API documentation tools, so this could be a harmless copy/paste mistake, but the name/description mismatch is an incoherence that should be clarified with the author.
Instruction Scope
SKILL.md instructs the agent to visit public product/documentation pages, wait for dynamic content, extract summaries, directories, and repository links, and explicitly forbids account operations, project writes, or sensitive-data collection. That scope is consistent with the stated purpose of summarizing public docs.
Install Mechanism
No install spec and no code files are present (instruction-only skill). This minimizes on-disk risk; nothing is downloaded or executed by an installer.
Credentials
The skill declares no required environment variables, credentials, or config paths. For a web-scraping / summarization instruction set this is proportionate and appropriate.
Persistence & Privilege
Flags show always:false and autonomous invocation is allowed (the platform default). The skill does not request elevated persistence or to modify other skills/config; this is proportionate.
What to consider before installing
Before installing: 1) Confirm the intended target—ask the author whether this skill is for Apifox or YApi and request matching metadata (name/homepage). 2) Verify source/trustworthiness since 'Source' and 'Homepage' are unknown. 3) If you plan to let an agent crawl the web, run it in a sandboxed environment and ensure it respects robots.txt and rate limits. 4) Because the SKILL.md allows dynamic page loading and generic 'visit product pages' actions, prefer least-privilege network access (restrict domains) until the scope is confirmed. 5) Installation is lower risk (no downloads/credentials), but the metadata mismatch is a red flag — get clarification; if the author cannot clarify, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dsz3a30t9g5wq21z6gkgfbx839wpc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments