Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
NeoDB
v1.0.0NeoDB 书影音标注助手 — 通过 API 替代网页/客户端完成所有 NeoDB 操作。支持搜索条目、标记(想看/在看/看过/放弃)、评分、短评、长评、笔记、收藏单、标签管理。触发场景:(1) 用户提到 NeoDB、书影音、标记、想看、看过、在读、读完、评分、评论 (2) 用户要搜索/标注书籍、电影、剧集、音乐...
⭐ 0· 60·0 current·0 all-time
byEric Yu@gitnapp
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to operate NeoDB via its API, which legitimately requires an OAuth token and (optionally) an instance hostname. The SKILL.md explicitly requires NEODB_TOKEN and NEODB_INSTANCE, but the registry metadata declares no required environment variables or primary credential — that inconsistency is unexpected and reduces transparency.
Instruction Scope
SKILL.md provides concrete curl templates and clearly limits operations to NeoDB API endpoints. It instructs storing NEODB_TOKEN (in ~/.claude/settings.json env) and to run the provided scripts/setup-auth.sh. The instructions promise user confirmation before write operations. No instructions request unrelated files, other service credentials, or exfiltration to unexpected endpoints.
Install Mechanism
There is no install spec (instruction-only skill). The only code file is a local bash auth helper; there are no downloads, package installs, or archive extraction steps. This is a low-risk install surface.
Credentials
The SKILL.md legitimately requires NEODB_TOKEN (OAuth access token) and optionally NEODB_INSTANCE. Those are proportional to the stated purpose. However the registry metadata does not declare these required env vars or a primaryEnv, which is an inconsistency. The included script also produces and stores client_id/client_secret and access_token locally — these are sensitive and should be explicitly declared and documented in metadata.
Persistence & Privilege
The setup script writes credentials to a local file (scripts/.credentials.json) and prints the access token; it also advises adding the token to ~/.claude/settings.json. The skill is not marked always:true and does not modify other skills, but local persistence of client_secret and access_token is a real sensitivity (risk of accidental commit or exposure) and should be considered before use.
What to consider before installing
This skill appears to do what it says (call NeoDB APIs), but be cautious: SKILL.md requires an OAuth token (NEODB_TOKEN) and optional NEODB_INSTANCE while the registry metadata does not declare those credentials — an omission that reduces transparency. The included scripts/setup-auth.sh will (1) register an OAuth app on the chosen NeoDB instance, (2) open a browser for you to authorize, and (3) save client_id, client_secret, and the access_token to scripts/.credentials.json and print the token. Before installing or running it:
- Review scripts/setup-auth.sh closely (it only talks to your chosen NeoDB instance, but it stores secrets locally).
- Do not run the script if you don't trust the instance you select. Prefer specifying the official/neodb.social instance if that's your intent.
- Consider creating an OAuth token manually in the instance UI and exporting it to your environment instead of running the script.
- If you run the script, move or protect scripts/.credentials.json and add it to .gitignore (the script already suggests this).
- Ask the skill author/registry to update the metadata to list NEODB_TOKEN (primaryEnv) and NEODB_INSTANCE so required permissions are explicit.
If you need a safer test: run the script in an isolated environment (VM/container) and avoid committing any credential files.Like a lobster shell, security has layers — review code before you run it.
latestvk978s3w4nfx9g3rzt2kwwe92xd83r28y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.