ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Skill

v1.1.0

AI写作流水线:给一个主题,出9篇风格迥异的中文散文,自动评分排名。

0· 91·0 current·0 all-time
byvenvox@dthinkr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's stated purpose (generate 9 Chinese essays + scoring) matches the runtime actions (POST /generate, poll /tasks, optional /usage). However, the registry metadata lists no required env vars while SKILL.md explicitly requires PROSE_KIT_API_KEY and instructs registration at prose-kit.com—this metadata mismatch is unexplained and reduces trust in provenance.
Instruction Scope
Instructions are scoped to the prose-kit API: obtain/require an API key (or register with the user's email), POST a generate request, poll a tasks endpoint, save resulting essays to prose-kit-output/, and optionally query usage. These steps are coherent with the feature but include sending the user's email to a third-party and writing user data to disk, which are privacy-relevant actions the user should consent to.
Install Mechanism
Instruction-only skill with no install spec or downloaded code. No on-disk installs are performed by the skill definition itself, which is lower risk.
!
Credentials
SKILL.md requires PROSE_KIT_API_KEY (and accesses it in the polling script) but the registry metadata claims no required env vars; this omission is inconsistent. Requiring a single API key and the user's email is proportionate to the described service, but the missing declaration and lack of provenance (no homepage/source) are suspicious.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or cross-skill config changes. It writes output files to a local directory (prose-kit-output/), which is expected behavior for saving generated essays.
What to consider before installing
This skill will call prose-kit.com, ask for your email to register (if you don't already have a key), require you to set PROSE_KIT_API_KEY, and save generated essays to prose-kit-output/ on your machine. Before installing: (1) verify the prose-kit.com domain and service legitimacy (homepage/source code are missing from the registry entry), (2) do not share sensitive credentials—only provide an API key if you trust the service, (3) be aware your email will be sent to a third party during registration, and (4) confirm you are comfortable with the skill writing files locally. The metadata omission (no declared required env var) could be a sloppy authoring error, but it reduces trust—ask the publisher for source or a homepage or prefer skills with clear provenance.

Like a lobster shell, security has layers — review code before you run it.

latestvk973edxj87hzw301svd8fe06rn83cvs8

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments