Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
以史为鉴
v0.1.4将中国历史案例映射到现实决策问题,输出局面判断、历史参照、关键变量、可选路径、沙盘推演、借鉴原则与边界提醒,并支持把用户补充的历史案例沉淀进本地案例库。Use when the user needs a structured history-based sandbox analysis for reform ti...
⭐ 0· 70·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the contained files: a 40+ case database, retrieval/classification/analysis code, prompts, and scripts for adding cases. No unrelated environment variables, binaries, or cloud credentials are requested. The ability to persist user-submitted cases into data/user_cases.json aligns with the 'add case to library' feature described.
Instruction Scope
SKILL.md instructs the host agent to read data/historical_cases.json and data/user_cases.json and — when users request persistence — to run the local CLI/scripts (e.g., scripts/add_case.py or src/main.py) to write structured JSON into data/user_cases.json. This is expected for the described feature, but it does grant the skill the ability to persist arbitrary user-provided JSON into the skill directory. The instructions explicitly recommend using standard input to write JSON (stdin), which will be executed without further provenance checks.
Install Mechanism
No install spec in the package (instruction-only skill + bundled code), and README/manifest suggest git clone from a GitHub repo. There are no downloads from untrusted URLs or archive extraction steps in the provided files.
Credentials
The skill requires no environment variables, credentials, or config paths. All data reads/writes are local and limited to the skill repository (data/historical_cases.json and data/user_cases.json) by default. No unrelated secrets are requested.
Persistence & Privilege
always is false and autonomous invocation is normal. The skill can persist user-submitted cases into its own data/user_cases.json (explicit feature). The add_case CLI exposes optional path parameters (e.g., --user-cases-path), which could, if invoked with different arguments, write to other filesystem locations — the SKILL.md and prompts do not instruct doing so, but the capability exists in the script API and should be considered when evaluating who the host agent is allowed to run as and what paths it may be given.
Assessment
This skill is internally consistent with its purpose: it analyzes user problems, finds similar historical cases, and can persist user-provided cases into a local user_cases.json. Before installing, consider: (1) any case you ask the skill to 'persist' will be written to the skill directory and retained for later retrieval — do not store sensitive or personally identifiable information in those cases; (2) the skill runs local Python code (src/main.py, scripts/add_case.py) — run it in an environment you control and inspect src/main.py (not fully shown here) if you need to confirm there are no network calls or additional behaviors; (3) the add_case script supports an argument to write to an arbitrary path — ensure the host agent cannot be instructed to run the script with a malicious path or elevated privileges. If you want extra assurance, run scripts/verify_install.py and examine the omitted source files (particularly src/main.py) in a sandbox before enabling the skill for autonomous use.Like a lobster shell, security has layers — review code before you run it.
latestvk9779fb0v2pw3s4e25ezpbxq6h84rm0y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.