Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description claim: provide TED Talks, bilingual subtitles, and core-insight analysis. Actual SKILL.md: lists course-selection filters, return fields about study time, mastery analysis, wrong-question book sync, teacher resumes, course downloads, exam reports and certification linkage. There is no guidance about fetching TED content, accessing subtitle sources, or calling any TED API — this is a clear mismatch between stated purpose and declared runtime behavior.
Instruction Scope
SKILL.md instructs the agent conceptually to surface and manage user-learning data (e.g., '错题本同步', '讲义下载进度', '学历认证关联') but provides no concrete API, endpoints, or credentials. These items imply reading or synchronizing user data, yet the skill declares no env vars or config paths. The instructions are vague and grant broad, undefined discretion ('筛选项' and '返回字段') rather than concrete, bounded steps.
Install Mechanism
Instruction-only skill with no install spec and no code files. Low install risk because nothing is written to disk or downloaded during install.
Credentials
The skill declares no required environment variables or credentials (proportionate to the absence of implementation). However, the behaviors described (syncing wrong-question notebooks, downloading materials, linking certifications) would normally require access to user accounts/APIs and credentials — those are not declared or explained, which is a red flag about completeness and transparency.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation allowed. It does not declare any persistence or system-wide config changes.
What to consider before installing
This skill's description (TED content + bilingual subtitles) does not match its runtime instructions (course-selection and learning-progress fields). Before installing: ask the author for the source/homepage and for clarification about what the skill actually does. Specific questions: 1) How does it fetch TED videos/subtitles (which API/endpoints)? 2) What data does it read or sync from the user (e.g., '错题本', certification records), and what credentials/access are required? 3) Where are lecture materials stored and how are downloads authorized? If the developer cannot explain these, treat the skill as incomplete or unreliable. Because it's instruction-only with no code or declared credentials, installing it is lower technical risk but still unwise until the functionality mismatch is resolved.Like a lobster shell, security has layers — review code before you run it.
latestvk973cryrymgan233pg9x1wv18h835d7f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.