ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Knowfun

v1.0.15

Generate educational content using Knowfun.io API - create courses, posters, games, and films with AI. Use when user wants to generate educational content, v...

1· 602·1 current·1 all-time
by@duguyixiaono1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (generate courses/posters/games/films) matches the declared requirements: a 'knowfun' CLI binary and KNOWFUN_API_KEY. The repo includes a CLI wrapper (scripts/knowfun-cli.sh) and a small JS shim, which explains the 'knowfun' binary requirement. Minor inconsistency: the registry metadata says 'No install spec — instruction-only', while SKILL.md and package.json include an npm install / bin entry and the repository contains the CLI script — likely an authoring/packaging oversight but not malicious.
Instruction Scope
SKILL.md instructs the agent to read KNOWFUN_API_KEY, parse arguments, and call the official API using curl (and jq when available). The instructions do not direct the agent to read arbitrary host files or unrelated environment variables, nor to contact endpoints outside the documented base URL. The allowed-tools clause (Bash(curl *)) is broad but SKILL.md and the included scripts hardcode the API base URL (https://api.knowfun.io), limiting scope.
Install Mechanism
There is no registry-level install spec, but the package contains package.json, a bin wrapper, and instructions to install via npm or to curl SKILL.md from GitHub. Those are standard distribution methods. No download-from-arbitrary-URL patterns or obfuscated payloads are present in the provided files. Recommendation: prefer installing the published npm package or auditing the shipped scripts rather than piping unknown scripts directly from the network.
Credentials
The skill only requires a single API key (KNOWFUN_API_KEY) which is appropriate for an API integration. No other SECRET/TOKEN/PASSWORD environment variables or unrelated credentials are requested. SKILL.md's behavior (using the env var for Authorization) is proportionate.
Persistence & Privilege
always:false and user-invocable:true. The skill does not request persistent elevated privileges or modifications to other skills or system-wide settings. It shells out to a hardcoded script path and uses the official API; autonomous model invocation is allowed (disable-model-invocation:false) but that is the platform default and not by itself a concern.
Assessment
This skill appears to be a legitimate CLI wrapper for the Knowfun.io API. If you plan to install it: 1) Prefer installing the published npm package (npm install -g knowfun-skills) or audit the shipped scripts before linking them into your PATH; 2) Keep your KNOWFUN_API_KEY secret and set it as an environment variable (don't paste into public chat); 3) Inspect scripts/knowfun-cli.sh to confirm all curl calls go to https://api.knowfun.io if you want extra assurance; 4) Avoid blindly running curl | bash from unknown URLs—download and review files first. If anything looks different after installation (unexpected outbound endpoints, file writes, or requests for other credentials), revoke the API key and investigate.
knowfun.js:30
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970me8rx954c1mfdpwftsx83982r683

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📚 Clawdis
Binsknowfun
EnvKNOWFUN_API_KEY

Comments