Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Universal Utility Toolkit - 全能实用工具包
v1.0.0Universal Utility Toolkit - 全能实用工具包,包含单位转换、UUID生成、URL处理、Unicode探索、JSON/YAML格式化、哈希计算、密码生成、颜色选择等开发必备工具。Invoke when user needs utility tools, converters, genera...
⭐ 0· 53·0 current·0 all-time
bybittao@hgta23
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Suspicious
high confidencePurpose & Capability
The code modules match the stated high-level purpose (unit conversion, UUIDs, URL parsing, unicode tools, JSON/YAML formatting, hashing, password generation, color utilities). However several SKILL.md/README claims are not implemented in the code (real-time currency lookups, URL shortening/expanding, QR code generation, clipboard copy, file-hash routines, and README's npm package name differs from package.json). These mismatches reduce coherence.
Instruction Scope
SKILL.md and examples imply real-time currency conversion and features like URL shortening/QR generation and clipboard copying. The shipped JavaScript contains only static/hardcoded currency rates, no network calls, no URL-shortener/QR or clipboard code, and hash functions operate on strings (no file I/O). That discrepancy is scope creep/inaccuracy in documentation and could mislead users about actual behavior.
Install Mechanism
No install spec or external downloads; all code is included in the package and package.json has no external dependencies. This is low-risk from an install/download perspective.
Credentials
The skill requests no environment variables, no credentials, and references no config paths. There is no sign of credential or secret access in code.
Persistence & Privilege
Skill does not request always:true and does not attempt to modify other skills or system-wide settings. It has normal, non-persistent privileges.
What to consider before installing
This package appears to be a straightforward collection of local utility functions, but the documentation over-promises. Before installing or relying on it: 1) Note that currency conversion uses static hard-coded rates (not real-time) — do not use for financial decisions. 2) URL shortening/expansion, QR generation, clipboard copy, and file-hash features mentioned in SKILL.md are not implemented in the code. 3) UUID v5 and YAML conversion implementations are non-standard/simplified (may not be RFC-compliant). 4) README's install command references a different package name than package.json — packaging may be sloppy. 5) No networking or credential access is present, which is good; still review and test the functions in a safe environment and consider auditing or improving the missing/incorrect features before trusting them in production.Like a lobster shell, security has layers — review code before you run it.
latestvk970wq6qss30wxzksyydmd121s84a4z4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.