Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
58区块同城
v1.0.0基于区块链的数字城市平台,提供数字区块浏览、城市人气查询、NFT头像交易与区块活动参与服务。
⭐ 0· 63·0 current·0 all-time
bybittao@hgta23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a blockchain city/NFT service and SKILL.md shows network calls to blockcity.vip for city rankings and details — this aligns with the stated purpose. However, SKILL.md also lists permissions (file.read, file.write) and required binaries (curl, python3) that are not declared in the registry metadata section presented to the platform, producing an inconsistency that reduces trust.
Instruction Scope
Runtime instructions tell the agent to fetch data from https://www.blockcity.vip endpoints and parse JSON/HTML which is fine for the stated tasks. But the SKILL.md requests broad permissions (network, file.read, file.write). The instructions do not specify what local files are read/written or how user credentials/wallet data would be handled — giving the agent file read/write plus network ability could enable exfiltration of local secrets unless tightly constrained.
Install Mechanism
No install spec and no code files — lowest-risk distribution model. The skill is instruction-only so there is no downloaded/installed binary from untrusted URLs.
Credentials
The skill declares no required environment variables or primary credential, yet describes features (purchasing NFTs, managing wallet, login-required actions) that normally require credentials or wallet access. SKILL.md also requests file read/write permissions even though no files or config paths are declared. This mismatch means the skill could require ad-hoc credentials or file access at runtime without prior declaration, which is disproportionate and ambiguous.
Persistence & Privilege
always is false and the skill does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high‑privilege requests here.
Scan Findings in Context
[no_code_files] expected: The regex scanner found nothing because this is an instruction-only skill (no code files). That is consistent with the package format, but it means we must rely on SKILL.md for behavior review.
What to consider before installing
This skill appears to do what it says (query city rankings and browse NFTs) but there are important inconsistencies you should clear up before installing or granting permissions: 1) SKILL.md requests file.read and file.write permissions but the package declares no required config paths or environment variables — ask the author which local files will be accessed and why. 2) NFT purchase/management normally requires wallet credentials — the skill declares none; never provide wallet private keys or API secrets directly through the skill without clear, documented handling. 3) Verify the endpoints (https://www.blockcity.vip and https://www.58.tl) are legitimate and that traffic will not be forwarded to unexpected third parties. 4) If you must try it, run in a sandboxed environment and do not use real wallet credentials or sensitive local files until the author clarifies permission use and credential handling.Like a lobster shell, security has layers — review code before you run it.
latestvk977ntrt4n1k86gmmnmvt1rfzx84d9w3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.