ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jiujiu-mindmap-summary

v1.0.0

思维导图总结生成技能。根据传入的文本,生成json格式的思维导图;

0· 149·0 current·0 all-time
by@cx17030204-dotcom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (mind‑map JSON generator) match the provided code and instructions: a Node script posts input text to an API and prints JSON. Requiring node and an API key is plausible for a hosted backend. However the README suggests contacting a phone number to obtain a key and also provides a hardcoded 'trial' API key in docs, which is unexpected and reduces trustworthiness.
Instruction Scope
SKILL.md instructs running scripts/generate.mjs with --input and setting JIUJIUMINDMAP_API_KEY; the script only reads that env var and POSTs {text} to an API. It does not read other system files. The concerning instruction is the guidance to set a default trial key (jiujiu-secret-key-123-456) and to contact a phone number — this is out of band and may encourage users to use a shared/embedded credential.
Install Mechanism
No install spec; the skill is instruction+script only and requires an existing node binary. Nothing is downloaded or executed automatically, which minimizes install risk.
!
Credentials
Only one env var (JIUJIUMINDMAP_API_KEY) is required, which is proportionate. But embedding an example API key in SKILL.md and instructing users to use it (or obtain a key by calling a phone number) is risky: it encourages use of a shared credential and may result in credential reuse or accidental exposure. The code will send that API key as an 'x-api-key' header to whatever API_URL is configured, so using a remote endpoint would transmit the key to third parties.
Persistence & Privilege
always:false and no special privileges requested. The skill does not modify other skills or system configuration; it only reads one environment variable and makes an outbound HTTP request.
What to consider before installing
This skill is functionally coherent but has a few red flags you should address before installing: (1) Do not rely on the example 'jiujiu-secret-key-123-456' in SKILL.md — treat it as a placeholder and avoid using shared/demo keys. (2) Verify which server will receive requests: the script defaults to http://127.0.0.1:8000 but a comment suggests replacing it with your deployed domain; if you point it at a remote service, your API key will be sent there. (3) Obtain an API key from a trusted source and scope it appropriately; do not set sensitive keys globally if you can avoid it. (4) If you don't control the backend, ask the skill author for provenance (source, homepage, who runs the API) before supplying any secret. (5) Run the script in a sandbox or inspect/modify API_URL to a controlled endpoint during testing.
scripts/generate.mjs:29
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk975et0wf3dqq81939pmsdgnws83esb6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🤖 Clawdis
Binsnode
EnvJIUJIUMINDMAP_API_KEY
Primary envJIUJIUMINDMAP_API_KEY

Comments