Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AI-powered DP Platform Operations Advisor
v2.0.1DP 数据处理平台运维顾问。当用户提到检查平台、作业失败、作业状态、吞吐量分析、故障诊断、运维报告等运维需求时激活。
⭐ 0· 79·0 current·0 all-time
by@hxp365
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The described purpose (monitoring/diagnosing a DP platform) legitimately requires DP_SERVER_URL and DP_API_KEY, and the SKILL.md uses those vars exclusively. However, the top-level registry metadata in the submission claimed no required env vars while skill.json and SKILL.md declare two required env vars — this mismatch is an incoherence in the package metadata. SKILL.md also lists context files (dp-api-reference.md, dp-operator-catalog.json) that are not present in the bundle, which reduces reproducibility and is unexpected.
Instruction Scope
Instructions direct the agent to call DP_SERVER_URL endpoints with the DP_API_KEY header, parse responses locally, and optionally take corrective actions — all consistent with the stated purpose. The script prints the first 8 characters of the API key to stdout (partial secret exposure) and uses curl/python inline, but it does not instruct reading unrelated system files or contacting external endpoints beyond the DP server.
Install Mechanism
No install spec or code is included (instruction-only). This is low-risk from an install perspective since no remote code is downloaded or written to disk by an installer.
Credentials
The skill requires only DP_SERVER_URL and DP_API_KEY which are proportionate to the functionality. The concern is the metadata mismatch: registry-level fields reported 'none' while skill.json and SKILL.md require credentials. Also, the instructions echo a substring of DP_API_KEY to logs/UI which risks secret exposure; users should ensure the key has least-privilege and rate limits. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent/always-on privileges (always:false) and does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high-risk flags here.
What to consider before installing
This skill appears to actually require DP_SERVER_URL and DP_API_KEY even though the registry metadata omitted them — confirm that before installing. Verify the skill's origin (source is unknown) and ask the publisher for missing context files (dp-api-reference.md and dp-operator-catalog.json). Only provide an API key that has minimal permissions and rate limits (prefer a read-only or scoped key). Be aware the skill will send that key in request headers to whatever DP_SERVER_URL you configure and will print the first 8 characters of the key to stdout (may appear in logs/agent UI). If you cannot verify the publisher or the endpoints, do not install or use production/high-privilege keys. If you proceed, audit network requests to the DP_SERVER_URL and prefer creating a dedicated service account/key limited to monitoring read actions.skill.json:9
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
data-processingvk97csbpcgf9kvtgg3czjg2kp0183tjk2flinkvk97csbpcgf9kvtgg3czjg2kp0183tjk2latestvk97fz6n78pwx2cn4n6ry9zy3t583tay8monitoringvk97csbpcgf9kvtgg3czjg2kp0183tjk2operationsvk97csbpcgf9kvtgg3czjg2kp0183tjk2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.