Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (product catalog and recommendations) match the instructions: the SKILL.md explicitly fetches and uses a products.json and gives filtering/sorting/recommendation rules. No unrelated credentials, binaries, or installs are requested.
Instruction Scope
The runtime instructions require fetching a JSON from a raw GitHub URL and, on failure, reading a local file at /Users/xizheng/.openclaw/workspace/skills/gongjian-catalog/products.json. This is expected for dynamic product data, but external JSON can be changed by its maintainer and product fields could contain unexpected text; ensure the agent treats fetched data as untrusted content (do not execute code embedded in fields) and consider pinning to a specific commit or vendor-hosted release if you need stronger integrity guarantees.
Install Mechanism
Instruction-only skill with no install spec and no code files — nothing is written to disk by an installer. Lowest install risk.
Credentials
The skill requests no environment variables or credentials. The only resource access is network fetch of a specific GitHub raw URL and a single local workspace path, which are proportional to a catalog lookup.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide configuration or elevated privileges. Normal autonomous invocation is allowed but not excessive here.
Assessment
This skill behaves like a straightforward product-catalog helper and is internally coherent. Before installing: (1) confirm you trust the GitHub repo URL (raw GitHub content can change and would change what the skill reports); (2) if you need stronger integrity, ask the author to pin a commit or provide a signed/controlled data source; (3) be aware the agent will display whatever text appears in products.json (malicious or misleading product descriptions could be reflected back to users), so validate the data or restrict network access if necessary; (4) the fallback local path is inside a workspace — verify it doesn't read other local files you care about. If these points are acceptable, the skill is consistent with its stated purpose.Like a lobster shell, security has layers — review code before you run it.
healthvk9728058pgww2gcqrmfja6nxw985172hlatestvk9728058pgww2gcqrmfja6nxw985172h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.