Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (EPAI platform management) match the code and SKILL.md: the script calls API endpoints to list/create/delete knowledge bases, catalogs and upload documents. The declared env vars (API base, API key, account, verify TLS) are appropriate and necessary for this purpose.
Instruction Scope
SKILL.md only instructs running the included Python CLI with explicit methods. It explicitly declares file-read permission for uploads and does not ask the agent to read unrelated system files or extra environment variables. The script opens local files only when performing document_upload, which is declared.
Install Mechanism
No install spec (instruction-only plus a bundled Python script) — low risk from installers. Note: the script depends on the 'requests' library but the SKILL.md doesn't list Python dependencies, so the runtime environment must provide requests or the script will fail.
Credentials
Required environment variables (EPAI_API_BASE, EPAI_API_KEY, EPAI_ACCOUNT, EPAI_VERIFY_TLS) are proportional to a service client. The script does not access additional secrets or unrelated system config paths.
Persistence & Privilege
Skill is not always-enabled, does not request persistent system-wide changes, and does not modify other skills' configuration. Autonomous invocation is permitted (platform default) but not combined with other high-risk flags.
Assessment
This skill appears to be a straightforward CLI client for an EPAI API and is internally consistent, but take these precautions before installing:
- Only set EPAI_API_BASE to a trusted endpoint: the script will send your EPAI_API_KEY, EPAI_ACCOUNT, and any uploaded files to that base URL.
- Be careful when uploading local files: the skill reads and posts the files you point it at; do not upload sensitive documents to an untrusted server.
- Do not disable TLS verification (EPAI_VERIFY_TLS=false) unless you understand the risk; default is to verify TLS.
- Ensure the runtime has the Python 'requests' library available or the script will fail.
- The skill has no homepage or publisher metadata; if you need higher assurance, request provenance (who published it) or review/run it in an isolated environment first.
- Use least-privilege API credentials (scoped key) and rotate/revoke the key if you stop using the skill.
If you want a deeper assessment, provide the publisher details or any external endpoints the API_BASE should point to so I can flag unexpected domains or details.Like a lobster shell, security has layers — review code before you run it.
latestvk97fftacdrec4gwc5tv1et3z4x81s91g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.