Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
multi-capability-bug-closure
v1.0.0统一调用源码、数据库、服务器日志、软件平台查询等多能力体系进行 BUG 定位与闭环论证。用于用户要求“必须基于真实数据给出结论与证据链”,而非仅代码静态分析的场景。
⭐ 0· 77·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name and description match the runtime instructions: the skill legitimately needs code, DB, server logs, and platform query capabilities to perform evidence-backed bug closure. However, the SKILL.md expects the agent to access those sensitive resources but the skill metadata declares no required environment variables, credentials, or config paths. That mismatch (implicit high-privilege access without declared requirements) is notable.
Instruction Scope
The SKILL.md explicitly directs the agent to read workspace source files, execute at least one read-only SQL on target databases, read server log configurations and target log directories/samples, and call platform Skills/documentation. These actions reach into sensitive areas (databases, logs, source code). The instructions do require not fabricating evidence and to avoid leaking creds, but they give broad discretion to access unspecified files/paths and other Skills — increasing the risk of unintended data exposure if connectors/permissions are not tightly scoped.
Install Mechanism
No install specification and no code files are present. As an instruction-only Skill, it does not download or install artifacts on disk, which reduces supply-chain/install risk.
Credentials
The Skill requires (in practice) database access, server log access, and the ability to read project source — all of which normally require credentials or config paths. Yet requires.env and required config paths are empty. Asking the agent to perform SQL queries and access logs without declaring or describing which credentials will be used is disproportionate and ambiguous. The SKILL.md does recommend using env/secret management, but it doesn't specify which secrets the platform must provide nor request read-only/least-privilege access.
Persistence & Privilege
always:false and no install steps are present; the Skill does not request persistent/system-wide presence or modification of other Skills. It can invoke other Skills (platform default), which is expected for this use case and is not by itself flagged here.
What to consider before installing
This Skill is coherent in purpose (it truly needs code, DB, log, and platform access to do what it claims) but it leaves important access details unspecified. Before installing or running it, confirm: (1) which connectors/credentials the agent will use (explicitly list databases, environments, and log paths); (2) provide read-only, least-privilege credentials or temporary tokens scoped to the minimum data needed (avoid using production admin keys); (3) restrict log and source access to the relevant service/component directories only; (4) require the agent to show a planned list of exact queries/paths it will read and ask for explicit user approval before executing them; (5) ensure any referenced third-party Skills (e.g., server-log-analysis) are trusted; (6) enable audit logging of the agent's actions and review outputs for sensitive data before allowing broader access. If you cannot safely provide narrowly scoped, read-only access, do not run the Skill with elevated or broad credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk9747mw5ar50k2t5dk9mcveza583es8s
License
MIT-0
Free to use, modify, and redistribute. No attribution required.