ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

chatdoc-studio-api

v1.0.0

ChatDOC Studio API usage guide - complete documentation and examples for PDF parsing, chat applications, agent applications, content retrieval, and data extr...

0· 11·0 current·0 all-time
by@cumtyc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The files are comprehensive API documentation and code samples for a document-processing/chat/RAG service (PDF parsing, uploads, chat/agent/extract apps). That matches the skill name/description and the examples are coherent with that purpose.
!
Instruction Scope
The runtime instructions and examples require making authenticated HTTP calls and uploading files (open local files for upload). The SKILL.md and examples instruct use of environment variables (CHATDOC_STUDIO_API_KEY, CHATDOC_STUDIO_BASE_URL) and reading local files for upload — expected for this API — but the skill metadata did not declare these required env vars. No instructions request broad system reads or unexpected remote endpoints beyond https://api.chatdoc.studio/v1, and there is no guidance to exfiltrate unrelated data.
Install Mechanism
This is an instruction-only skill with no install spec and no code to write to disk. That is the lowest-risk install mechanism.
!
Credentials
The documentation clearly expects an API key in CHATDOC_STUDIO_API_KEY (and optionally CHATDOC_STUDIO_BASE_URL), but the skill metadata declares no required environment variables or primary credential. This is an inconsistency: if you plan to use the skill you will need to provide an API key, but the package does not surface that requirement. Requesting an API key for the documented service would be proportionate; failing to declare it is a transparency issue. Also note uploads imply you may transmit sensitive documents to the remote service — that the skill will do if you follow examples.
Persistence & Privilege
The skill is not always-enabled and does not request persistent privileges. It is user-invocable and allows autonomous model invocation by default (normal). There is no indication it modifies other skills or system configurations.
What to consider before installing
This skill is primarily documentation and code samples for the ChatDOC Studio API (PDF parsing, chat, extraction, RAG). That purpose matches the files, but the package metadata did not declare the API key (CHATDOC_STUDIO_API_KEY) that the docs repeatedly require — treat that as a transparency/information mismatch. Before using the skill: 1) Confirm the API base URL (https://api.chatdoc.studio/v1) is the official endpoint you expect. 2) Only provide a minimal, least-privileged API key; avoid using high-privilege or long-lived credentials. 3) Do not upload sensitive documents (PII, secrets, proprietary files) until you verify the service's privacy/retention policy. 4) Inspect the omitted files (e.g., agents/openai.yaml) referenced in the package to understand any surprises or external integrations. 5) If you need strict guarantees, obtain official SDK/docs from the provider and compare them to these files. The skill is not evidently malicious, but the metadata/README mismatch and potential for sending sensitive data to a remote API justify caution.

Like a lobster shell, security has layers — review code before you run it.

latestvk972x1a0s32m5ajtjnz0nb7cqn84ddnm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments