Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
调用自定义摘要 API,对用户提供的文本进行处理并返回结果
v1.0.0调用自定义摘要 API,对用户提供的文本进行处理并返回结果
⭐ 0· 64·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, SKILL.md and server.js are consistent: the skill exposes /api/skill/call and forwards the provided `content` to the declared third‑party API (https://test-gig-c-api.1haozc.com/...). There is no unrelated credential/binary requested. Note: the target API is hard-coded to an external domain rather than provided via configuration.
Instruction Scope
SKILL.md explicitly describes forwarding user text to the external API and the internal endpoint to call. The implementation also logs the full user content to the server console (console.log), which is not called out in the SKILL.md and may expose content in logs — a privacy/operational concern but not an incoherence.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. However code files (server.js, package.json) are included; running the skill will require installing dependencies (express) and running the Node server. There are no downloads from untrusted URLs or extract steps.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However it transmits all user content to an external, hard-coded HTTPS endpoint without authentication and logs the content locally; this raises privacy/exfiltration concerns even though it doesn't require extra credentials.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. It does not persist configuration beyond typical server process behavior.
Assessment
This skill is internally coherent but forwards any user-provided text to an external server (https://test-gig-c-api.1haozc.com) and writes the text to console logs. Before installing, verify who operates that endpoint and their privacy/security practices. Do not send sensitive or confidential information through this skill. Prefer a version that makes the target API URL configurable via environment variables and uses authentication, explicit consent notice, and avoids logging full user content. If you need stronger guarantees, host the code yourself or request the developer provide an operator identity and a privacy policy.server.js:52
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk97fayfqv86npnd4bc7v94mjzs84gr0nstablevk97fayfqv86npnd4bc7v94mjzs84gr0n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.