ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AI-powered DP Data Processing Pipeline Designer

v2.0.1

DP 数据处理平台流水线设计师。当用户提到创建管道、数据流、Flink作业、Kafka读取、写到数据库/MongoDB、数据处理管道等需求时激活。

0· 56·0 current·0 all-time
by@hxp365
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to design, generate, submit, and monitor DP platform Flink jobs and therefore legitimately needs DP_SERVER_URL and DP_API_KEY. However, the SKILL.md references three context files (dp-operator-catalog.json, dp-api-reference.md, dp-job-schema.md) that are not included in the package, which is an inconsistency: either the skill will be non-functional or expects external files not disclosed.
Instruction Scope
Instructions are focused on talking to the DP REST API (submit jobs, poll status, retrieve logs) and only reference the declared DP env vars. They do not instruct the agent to read unrelated system files or exfiltrate data. The initial-shell snippet will abort if DP_API_KEY is not set and prints a masked API key prefix; this is benign but reveals part of the key locally. Overall scope is appropriate but depends on missing context files.
Install Mechanism
Instruction-only skill with no install spec and no code files, so nothing is written to disk by an installer. This is the lowest-risk install model.
Credentials
Only DP_SERVER_URL and DP_API_KEY are required, which is proportionate for a REST-API integrator. Minor concern: skill.json includes an explicit example IP (http://8.130.64.180) in the env var description — presence of a hard-coded example IP in metadata is unexpected and should be validated.
Persistence & Privilege
The skill does not request always:true and is user-invocable; it does not request elevated or persistent platform privileges. Autonomous invocation is allowed (platform default) but not combined with other red flags.
What to consider before installing
This skill largely matches its stated function (it will call your DP platform API using DP_SERVER_URL and DP_API_KEY), but it references supporting files (dp-operator-catalog.json, dp-api-reference.md, dp-job-schema.md) that are not included—ask the publisher where those files come from. Before installing: 1) Confirm the DP_SERVER_URL is the legitimate platform you expect (the skill metadata even shows an example IP you should verify). 2) Only provide a least-privilege API key for testing (not a full-admin key) and test in a non-production environment. 3) Request the missing context files or documentation to understand what operators/templates the skill will use. 4) If you cannot verify the source of the context files or the publisher, avoid supplying secrets to this skill.
!
skill.json:9
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

data-processingvk971h3429hd0sb5a96z77dg17583t3b2etlvk971h3429hd0sb5a96z77dg17583t3b2flinkvk971h3429hd0sb5a96z77dg17583t3b2latestvk97erqj4vhpdbjk0d5etrrnpvh83vc5hpipelinevk971h3429hd0sb5a96z77dg17583t3b2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments