ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

日本雅虎拍卖估价

v1.0.3

日本雅虎拍卖商品估价工具 - 自动获取商品信息、查询历史成交价、计算建议出价

1· 661·0 current·0 all-time
by@hiddenpuppy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description say: fetch Yahoo! Auctions and historical prices and compute suggested bids. Declared requirements (node, curl) and the single env var PROXY_SOCKS5 are consistent with needing outbound HTTP(S) access via a Japanese proxy to reach the data sources.
Instruction Scope
SKILL.md explicitly instructs running the provided Node script and setting PROXY_SOCKS5; the script only reads that env var and performs HTTP fetches of auctions and aucfree pages. The script uses child_process.execSync to call curl — expected for this type of scraper, but this is an execution-time surface to be aware of (see guidance).
Install Mechanism
No install spec or remote downloads. This is instruction-only plus a local script (estimate.mjs). Nothing is fetched or written during install, so install risk is low.
Credentials
Only PROXY_SOCKS5 is required and declared as primaryEnv. That aligns with the stated need to route requests through a Japan-based SOCKS5 proxy. No unrelated credentials or extra env vars are requested.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges or modify other skills or configs. It runs on invocation and does not attempt to persist or escalate privileges.
Assessment
This skill appears to do what it claims: it scrapes Yahoo Auctions and aucfree using curl invoked from a Node script, and asks you to set PROXY_SOCKS5 so requests appear to come from Japan. Before installing or running: (1) only set PROXY_SOCKS5 to a proxy you trust (a malicious proxy URL could intercept traffic or, because the proxy string is interpolated into a shell command, could be abused if you set an unexpected value); (2) run the script in an isolated environment or container if you are concerned about network scraping; (3) verify you are comfortable with outbound network access to auctions.yahoo.co.jp and aucfree.com; (4) if you will pass untrusted IDs or environment values, consider reviewing or sanitizing inputs to avoid command-injection risks. Overall the skill is internally consistent and proportionate to its stated purpose.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ezfc25vf5sh28jhv0nxfe3581w253

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🏷️ Clawdis
Binsnode, curl
EnvPROXY_SOCKS5
Primary envPROXY_SOCKS5

Comments