Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description say "ZenTao bug statistics" and the included Python script logs into a ZenTao instance and issues POST queries to search-buildQuery.html then scrapes a bug-browse page to count results. The requested operations (HTTP login and query) align with the stated purpose.
Instruction Scope
SKILL.md tells the user to run the Python script which performs login and query steps described in the docs. The SKILL.md does not document environment variables the script will read (ZENTAO_URL, ZENTAO_USER, ZENTAO_PASS), nor the script's implicit dependence on specific project/product IDs (project=47, product=28) and a result page path (bug-browse-28). Those omissions are scope/documentation issues but not evidence of malicious behavior.
Install Mechanism
This is an instruction-only skill with an included Python script; there is no installer, external downloads, or package installation. Nothing will be written or executed beyond running the provided script.
Credentials
The skill does not request credentials in metadata, but the script will read optional environment variables ZENTAO_URL, ZENTAO_USER, and ZENTAO_PASS (and will POST the credentials to the specified ZenTao server). It also embeds default values (default URL http://172.16.16.1:81/zentao/, default user 'jinx_robot', default password '!!123Abc'). These defaults are convenience choices but should be reviewed before running to avoid accidentally sending credentials to the wrong endpoint.
Persistence & Privilege
The skill does not request persistent/always-on presence and does not modify agent or system-wide settings. It only performs one-off HTTP actions when run.
Assessment
This skill appears to do exactly what it says: log into a ZenTao instance and count bugs. Before using it, check and if necessary change the defaults: set ZENTAO_URL to your internal ZenTao URL, and set ZENTAO_USER and ZENTAO_PASS via environment variables rather than relying on the hardcoded defaults. Review the script if you plan to run it on a machine with broader network access—it will POST your credentials to whatever ZENTAO_URL is set to. Also verify the hardcoded project/product IDs (project=47, product=28) and result path (bug-browse-28) match your ZenTao setup, or modify them. If you are uncertain, run the script in an isolated environment (or on an internal network) and inspect network calls (e.g., with a proxy) the first time you run it.Like a lobster shell, security has layers — review code before you run it.
latestvk974a7ep42rqq1sx2zvxppetjs838snf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.