ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gate Info Liveroom Location (gate-info-liveroomlocation)

v1.0.2

Gate live stream and replay listing skill. Use when the user asks to find live rooms or replays by tag, coin, or sort. Triggers on 'live room list', '最热直播',...

0· 55·0 current·0 all-time
byGate@gate-exchange
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to be a simple live/replay listing for Gate and requires no credentials or binaries, which fits the described capability. However, SKILL.md insists the Gate-Info MCP server is 'Required' and instructs to 'use the local Gate MCP installation flow', while README.md states 'No MCP' and the package has no install spec. This inconsistency suggests either missing runtime dependencies or stale/contradictory documentation.
!
Instruction Scope
Instructions limit the agent to a single API endpoint and to not fabricate results, which is appropriately scoped. But SKILL.md references reading ../gate-runtime-rules.md (not present in the bundle) and requires a 'restricted-region' check without specifying how the agent should determine the user's region (agent context, IP geolocation, user profile?). Those missing details create operational ambiguity and could lead the agent to make broad assumptions about available runtime context.
Install Mechanism
There is no install specification and no code files, so the skill is instruction-only and does not write binaries to disk — low installation risk. However, SKILL.md's 'Install: Use the local Gate MCP installation flow' contradicts the lack of an install spec and README's 'No MCP' statement; this is documentation incoherence rather than an explicit install risk.
Credentials
The skill declares no required environment variables, credentials, or config paths — proportional for a read-only listing feature. Still, the SKILL.md expects an MCP runtime (Gate-Info) but doesn't declare how credentials or endpoints are supplied; that mismatch should be clarified so there is no hidden requirement for access tokens or local services.
Persistence & Privilege
Flags show always:false and normal agent invocation; the skill does not request persistent presence or elevated privileges and contains no install-time modifications. This is appropriate for an instruction-only listing skill.
What to consider before installing
This skill appears to do what it says (return a list of Gate live streams or replays) and requests no secrets, but the documentation is inconsistent and incomplete. Before installing or enabling it, ask the publisher: (1) Do you require a local Gate MCP server or is the skill a plain HTTP client? (SKILL.md and README disagree.) (2) Where does the GET /live/gate_ai/tag_coin_live_replay request go (full base URL)? Are requests sent to gate.io only? (3) How is a user's region determined for the restricted-region block (explicit user locale field, agent metadata, IP geolocation)? Will that check access any system files or external services? (4) Provide the missing runtime file ../gate-runtime-rules.md or update SKILL.md to be self-contained. If you cannot get clear answers, run the skill in a sandboxed environment or deny it autonomous invocation until the dependencies and region-check behavior are clarified.

Like a lobster shell, security has layers — review code before you run it.

latestvk971mjmax74p3mjkmz9af738rs84d3pk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments