Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description and SKILL.md content all align: an instruction-only skill intended to provide Chinese Ministry of Education policy, exam, certification, and school information. No unexpected binaries, env vars, or install steps are requested.
Instruction Scope
The instructions are simple content/read_when rules and do not request system files, credentials, or external endpoints. However the SKILL.md contains unicode control characters (pre-scan finding) which can be used to hide or alter prompts; the file should be inspected in raw form to ensure there is no hidden or malicious content.
Install Mechanism
No install spec and no code files — lowest-risk delivery mechanism. Nothing will be written to disk by an installer.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate for a read-only informational skill.
Persistence & Privilege
always is false and the skill is user-invocable only. It does not request elevated or persistent privileges.
Scan Findings in Context
[unicode-control-chars] unexpected: An instruction-only informational skill would not normally need hidden/unprintable characters. These characters can be used to obfuscate instructions or carry prompt-injection payloads; this warrants manual inspection of the raw SKILL.md text to locate and remove any control characters.
What to consider before installing
This skill appears to genuinely be an informational helper about Chinese education policy and does not request credentials or install anything. However an automated scan found hidden/unicode control characters in the SKILL.md which can be used to hide malicious prompt instructions. Before installing or enabling the skill: (1) view the SKILL.md in a raw/plain-text editor and remove or examine any invisible/control characters, (2) verify the skill's source or author if possible (no homepage provided), (3) avoid providing any personal credentials or sensitive data to the skill, and (4) prefer skills that link to official government pages or known sources for policy data. If you cannot inspect the raw file or verify the author, treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
latestvk971ss1z3brbch6xctrxwpsqex84q8cf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.