ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

za-healthguide

v1.0.3

带病投保顾问。当用户提到带病投保、非标体、健康告知、核保、有疾病能不能买保险、 某病能投什么保险、客户有XX病、指标异常投保等话题时触发。 也在用户询问众民保投保链接、众民保产品介绍、众安保险产品详情时触发。 覆盖众民保系列及市场主流带病体可投保产品,包含众民保复发险急性白血病计划、慢性白血病计划专项产品。

0· 72·0 current·0 all-time
byjiazebei@hellonorth
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the included reference documents and workflow. The listed CDN documents and local reference files are directly relevant to providing product and underwriting guidance for users with prior illnesses.
Instruction Scope
SKILL.md explicitly instructs the agent to read local compliance docs and to download and parse product files from the listed CDN URLs using Python (urllib.request, python-docx, openpyxl, pdfminer) and subprocess.run. This behavior is coherent with the purpose (extracting authoritative product/underwriting rules) but grants the agent the ability to fetch remote files, write temp files, and run subprocesses — review and restrict network/file access if you want to limit risk. The instructions also call for generic web_search for non-ZhongAn products (expected). The compliance doc forbids collecting sensitive identifiers, which helps mitigate data collection risk.
Install Mechanism
Instruction-only skill with no install spec and no declared binaries or env vars. Lowest install risk. However the runtime instructions assume availability of Python and libraries (python-docx, openpyxl, pdfminer.six) — the runtime must provide these or the agent will attempt to run subprocesses that may fail.
Credentials
The skill declares no required environment variables, credentials, or config paths. The requested accesses (reading bundled reference files, performing web_search, and fetching documents from a ZhongAn CDN) are proportionate to the described function.
Persistence & Privilege
always:false and no install steps that persist or modify other skills or global agent config. The skill does write temporary files when downloading documents (tempfile.NamedTemporaryFile with delete=False) which is expected for parsing; ensure temp cleanup policy if desired.
Assessment
This skill appears to do what it says: consult local compliance guidance, fetch ZhongAn product docs from the listed CDN links, parse them, and provide underwriting guidance. Key things to check before installing: 1) Trust the CDN domain (https://cdn-health.zhongan.com) — if it is not a known/trusted source, downloaded files could be altered; 2) Ensure the agent runtime sandbox restricts network and file-system access to limits you accept (the skill downloads files and writes temp files and uses subprocesses); 3) Confirm the runtime has the required Python libraries (python-docx, openpyxl, pdfminer.six) so the skill won't try to install arbitrary packages at runtime; 4) The compliance doc prohibits collecting IDs/bank info — monitor prompts to ensure sensitive data is not requested or logged. If you need stronger assurance, ask the skill author for a signed source or host the reference docs on a domain you control.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aebs83qkmz0dzxp2gr9jybx842ttx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments