ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

New Balance

v1.0.1

提供New Balance跑鞋、服装、配件查询及门店信息,支持价格、新品及多宽度跑鞋建议。

0· 69·1 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill description advertises product queries, pricing, store info, and fitting suggestions, but SKILL.md only defines generic company information modules (history, business scope, global layout, latest news). There are no instructions, endpoints, or variables to fetch prices, inventory, or store locations — this is a capability mismatch.
Instruction Scope
SKILL.md is instruction-only and stays limited to producing high-level company information. It does not reference system files, environment variables, or external endpoints. However, it is vague and does not provide actionable runtime steps for the product/query features claimed in the description.
Install Mechanism
No install spec and no code files — lowest-risk form. Nothing will be written to disk by an installer because the skill is instruction-only.
Credentials
The skill declares no environment variables, no credentials, and no config paths, which is proportionate given the SKILL.md content (which doesn’t require external services).
Persistence & Privilege
always is false and the skill is user-invocable. It does not request elevated persistence or modify other skills or system-wide settings.
What to consider before installing
This skill's description promises product-level features (prices, store lookups, width recommendations) but the instructions only provide a generic company-info template. Before installing, ask the publisher for clarification or an updated SKILL.md that shows how it fetches prices/stores (APIs, endpoints, or required credentials). If you expect the skill to query live inventories or payment-related data, require explicit details about what external services it will call and any credentials needed. Because the source and homepage are unknown, prefer not to enable autonomous invocation until the capability mismatch is resolved.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xj4d3fa6qdkd1dcw3rc3vn84xv3c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments