Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
qwencloud-text
v0.1.0[QwenCloud] Generate text, have conversations, write code, reason, and call functions with Qwen models. TRIGGER when: user asks to chat with Qwen, generate t...
⭐ 0· 48·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description claim a Qwen text/chat client. The code and SKILL.md clearly expect an API key (DASHSCOPE_API_KEY or QWEN_API_KEY), base URL/region overrides, and other runtime environment items — but the registry metadata lists no required environment variables. That mismatch is notable: a text-generation skill legitimately needs an API key, so the registry metadata is incomplete/incoherent.
Instruction Scope
SKILL.md and references stay largely on-purpose (how to call the Qwen-compatible API, curl/python examples, function-calling guidance). However the runtime instructions and reference docs also instruct the agent to load local .env files, read bundled scripts and reference files, generate fallback scripts/curl commands, and (via agent-compatibility.md) suggest modifying agent/project config files (with the caveat 'Ask the user before modifying any file'). These actions (reading .env, loading bundled code, editing config files) are within scope for a client but expand the surface area and require explicit user consent.
Install Mechanism
This is instruction-plus-bundled-scripts (no external install spec). All code is included; there are no remote downloads or package installs declared. That limits supply-chain risk compared to fetching code at runtime, though bundled code will run locally when invoked.
Credentials
The skill requires an API key (DASHSCOPE_API_KEY / QWEN_API_KEY) and accepts QWEN_BASE_URL / QWEN_REGION; these are proportionate to its purpose. However the registry metadata did not declare any required env vars or a primary credential — a clear inconsistency. The code also loads .env files into process env (load_dotenv), which can bring secrets into the skill at runtime; that behavior is expected but worth noting. No unrelated credentials are requested in the code.
Persistence & Privilege
The skill does not declare always:true and will not be force-included. It does write to repo-local state (.agents/state.json) via its update-check helper and may run a local subprocess to invoke other local skill scripts if present. It also provides guidance for appending registration markers to agent config files (but instructs to ask first). These are repo-scoped side effects (not system-wide), but they are persistent and should be allowed explicitly by the user.
Scan Findings in Context
[system-prompt-override] unexpected: The pre-scan detected a 'system-prompt-override' pattern in SKILL.md. The SKILL.md contains directives like 'read this skill's SKILL.md before first use' and frontmatter 'compatibility' guidance which could be used to influence agent behavior. While the skill legitimately needs runtime instructions, any attempt to override or alter an agent's system prompt should be reviewed carefully; this finding signals potential prompt-injection style content rather than benign code.
What to consider before installing
What to check before installing/using:
- Metadata mismatch: The registry lists no required env vars, but the code and SKILL.md require DASHSCOPE_API_KEY (or QWEN_API_KEY). Do not install unless you intend to provide a Qwen API key.
- Inspect bundled scripts yourself: scripts/text.py, qwencloud_lib.py, and gossamer.py are included — review them (they are stdlib-only and readable). Confirm there are no unexpected remote endpoints beyond the documented Qwen/DashScope URLs and that the code only uses your provided key for API calls.
- Secrets handling: The code loads .env files into os.environ. Prefer to set the API key in your agent/platform's secure env storage rather than pasting keys into chat. The skill includes explicit guidance to never print keys in plaintext — still verify the agent won't echo secrets in logs.
- Side effects: The update-check helper writes .agents/state.json in a repo root and may run a local subprocess to execute a locally-installed 'qwencloud-update-check' script. If you keep project directories with untrusted contents, be careful — the subprocess will execute local code. Allow these behaviors only in a trusted repository or test sandbox.
- Config edits: The skill's compatibility guide includes steps to append markers to agent config files. Require explicit user consent before permitting any automated edits to configs; prefer manual changes.
- Prompt-injection signal: A scanner flagged system-prompt-override patterns in SKILL.md. That doesn't prove malicious intent, but review the skill's frontmatter and prompt guidance for instructions that try to change agent/system prompts or expand authority.
If you proceed: run the skill in an isolated environment first (or with a throwaway API key), set the DASHSCOPE_API_KEY via secure env/config (not inline), and confirm file modifications or subprocess executions only occur with your explicit approval.references/prompt-guide.md:5
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97aqzz373t6hcm979d6medt9n83w40y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.