Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Dunkin
v1.0.1提供唐恩都乐咖啡、甜甜圈及烘焙食品的菜单、门店信息、会员福利及定制服务等查询与支持。
⭐ 0· 65·0 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill description claims consumer-facing features (menu, store information, member benefits, custom service support). The SKILL.md, however, only instructs the agent to provide static, high-level brand background (founding history, products, global footprint, industry analysis). No APIs, endpoints, credentials, or procedures for live menu/store queries or membership actions are declared. This is an incoherence between claimed purpose and actual instructions.
Instruction Scope
SKILL.md is minimal and narrowly scoped to producing structured brand information and guidance, triggered when the user mentions 'dunkin'. It does not instruct the agent to read files, use credentials, or contact specific external endpoints. However it is vague about how data should be fetched (it only 'suggests' official sources), so it will not by itself provide the live, per-store or membership features advertised.
Install Mechanism
No install spec and no code files — instruction-only skill. This has a low installation risk because nothing is written to disk or installed.
Credentials
The skill requests no environment variables, no credentials, and no config paths. This is proportionate to the SKILL.md (static brand info). If the skill were to provide live store/menu/member features it would likely need API keys — those are not requested, which contributes to the mismatch.
Persistence & Privilege
always is false, user-invocable is true, and there is no installation behavior that modifies agent config or persists credentials. The skill does not request elevated or permanent privileges.
Scan Findings in Context
[no_scan_findings] expected: The repository contains only SKILL.md and no code files, so the regex-based scanner had nothing to analyze. Absence of findings is expected for instruction-only skills but does not prove the skill provides the live features its description claims.
What to consider before installing
This skill appears low-risk technically (no installs, no credentials required) but it is inconsistent: the description advertises live consumer features (menus, store lookup, membership support) while the instructions only cover brand background and market analysis. Before installing or relying on it: 1) Confirm whether you need live/store-specific or membership operations — this skill as written will not perform those. 2) Ask the publisher for the source/homepage or for an updated SKILL.md that documents API usage and required credentials if you expect dynamic data. 3) If you expect transactional features (store lookup, account actions), prefer a skill that declares the necessary APIs/credentials and has a verifiable source. 4) Because it's instruction-only and requests no secrets, it is unlikely to exfiltrate data, but the functional mismatch means it may not meet your needs.Like a lobster shell, security has layers — review code before you run it.
latestvk9701yc95011jqgy27as8n2ets84xe93
License
MIT-0
Free to use, modify, and redistribute. No attribution required.