ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

小游戏5分钟报告

v1.0.0

Generates automated 5-minute WeChat mini games industry reports with revenue-focused rankings, market analysis, user insights, and investment alerts.

0· 45·0 current·0 all-time
by@fanxi-ju
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to generate automated reports by scraping sj.qq.com and delivering Feishu documents. That legitimately requires browser automation tooling and Feishu API credentials/permissions, but the skill metadata lists no required binaries, env vars, or credentials — a mismatch between stated purpose and declared requirements.
Instruction Scope
SKILL.md explicitly instructs the agent to navigate to https://sj.qq.com/wechat-game, parse leaderboards, and create/send Feishu documents. Those runtime actions involve network scraping and message delivery to an external collaboration platform. The instructions do not ask to read unrelated local files or secrets, but they do assume access to external sites and messaging APIs without documenting how credentials or network access are provided.
Install Mechanism
There is no install spec and no code files; this is instruction-only, which is lower-risk from an installation perspective. However, because runtime needs imply browser automation and Feishu integration, the absence of any install instructions or declared dependencies is surprising.
!
Credentials
The skill will need Feishu API credentials (app id/secret or bot token) and likely a headless browser/runtime or automation driver, but requires.env and primary credential fields are empty. Requesting no credentials when the workflow requires them is disproportionate and hides the real credential needs from reviewers.
Persistence & Privilege
The skill is not marked always:true and has no install hooks or claims of modifying other skills or system-wide settings. It does describe automated delivery but does not request persistent platform privileges in the manifest.
What to consider before installing
This skill's description and SKILL.md expect the agent to scrape Tencent's WeChat game rankings and post formatted documents to Feishu, but the manifest declares no dependencies or credentials. Before installing, ask the author to: (1) list required environment variables (Feishu app id/secret or bot token) and any browser automation binaries or drivers; (2) provide an install spec or implementation so you can review exactly what code will run; (3) confirm how credentials are stored and used (least privilege, no long-lived secrets embedded); and (4) verify that scraping sj.qq.com complies with Tencent's terms and robots.txt and that rate limits and privacy rules will be respected. If you must proceed, require explicit, minimal-permission credentials (prefer short-lived tokens) and test in a sandboxed environment. Because the manifest omits these runtime needs, treat the skill as suspicious until the author supplies clarifying details or code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cet9m2m4jwd2r12dfm0066n83q1qc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments