Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
andrea-test-002
v1.0.1AlphaClaw 是 SkillHub 技能商店的 CLI 工具,用于搜索、安装、发布和管理 Claude Code 技能。支持 AK/SK 登录、关键词搜索技能、一键安装/发布技能包、收藏和评论等完整功能。
⭐ 0· 71·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (SkillHub CLI for searching/installing/publishing skills) match the runtime instructions. However the skill is instruction-only and instructs users to install an external npm package (1688alphaclaw) and uses an API host (alphashop.cn) while the registry metadata lists no homepage/source — the external dependency and missing source attribution are notable.
Instruction Scope
Instructions correctly describe CLI commands and explicitly instruct storing credentials in ~/.alphaclaw/auth.json, opening a browser for AK/SK entry, installing packages, and writing an install lock at ~/.skillhub/skills-lock.json. These actions are consistent with a CLI but involve storing sensitive secrets locally and invoking an external npm package the skill bundle does not contain.
Install Mechanism
There is no install spec for the skill bundle itself (instruction-only), but the documentation instructs users to run `npm install -g 1688alphaclaw`. That means code will come from the npm registry (not included in this package) and the skill metadata provides no authoritative source/homepage for that package — moderate risk until you verify the npm package and its publisher.
Credentials
The SKILL.md references an environment variable SKILLHUB_API (defaulting to https://api.alphashop.cn) and file paths for storing credentials, but the registry requirements list no required env vars. The AK/SK credential flow is reasonable for this CLI, but the undeclared SKILLHUB_API and local storage of Secret Key (sensitive) should be verified (encryption, permissions, and retention).
Persistence & Privilege
The skill does not request always:true and does not modify other skills; it instructs writing its own config files under the user's home directory (~/.alphaclaw and ~/.skillhub), which is expected for a CLI. Autonomous invocation defaults are normal and not by themselves a concern here.
What to consider before installing
This bundle is an instruction-only wrapper that tells you to install an external npm package (1688alphaclaw) and to store AK/SK credentials in ~/.alphaclaw/auth.json. Before installing or using it: 1) Look up the npm package 1688alphaclaw on the npm registry and confirm the maintainer and source code (review the package contents and recent publish history). 2) Verify the official homepage/API endpoints (alphashop/skill.alphashop.cn) independently. 3) Check how auth.json is stored (file permissions, whether secret is encrypted) and avoid entering long-lived secrets unless you trust the package. 4) Consider installing in an isolated environment (container or VM) and reviewing the installed package code before granting sensitive credentials. If you cannot confirm the npm package source and code, treat this as higher risk.Like a lobster shell, security has layers — review code before you run it.
latestvk97am8czt0hgdwycq295wr6yps83mc59
License
MIT-0
Free to use, modify, and redistribute. No attribution required.