Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Jlceda Plugin Builder
v0.1.0AI Skill for building EasyEDA Pro extension plugins. Used when users need to create, modify, or debug JLCEDA/EasyEDA Pro plugins, including generating plugin...
⭐ 0· 103·0 current·0 all-time
byJasonYANG17@jasonyang170
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the instructions (plugin development for EasyEDA Pro). However SKILL.md and AGENTS.md both insist the authoritative index.d.ts is bundled and must be searched for API verification, yet the provided file manifest does not include index.d.ts. Asking the agent to read a file that isn't bundled is an incoherence: either the skill expects access to workspace files outside the skill bundle, or the package is incomplete.
Instruction Scope
Runtime instructions are narrowly scoped to building/modifying EasyEDA plugins and specify concrete safe alternatives to forbidden browser APIs. They instruct the agent to run searches (grepSearch), read files (readFile), clone public GitHub repos, and use npm build steps — all reasonable for a dev skill. The unusual constraint 'always search the bundled index.d.ts; do not look in node_modules' is restrictive and conflicts with the missing index.d.ts, which could cause unexpected behavior or force the agent to access other workspace files.
Install Mechanism
Instruction-only skill with no install spec and no code files to execute. This is low risk from an installation perspective; operations that modify disk (git clone, npm install, build) are invoked only as explicit workflow steps, not as an automatic installer.
Credentials
The skill requests no environment variables, no credentials, and no config paths. All recommended operations (git clone public repos, npm) are proportional to a plugin-development skill.
Persistence & Privilege
always:false and no special persistence or cross-skill configuration changes are requested. The skill allows normal autonomous invocation (platform default), which is not by itself a red flag; combined with the earlier inconsistency it warrants caution but not a privilege concern.
What to consider before installing
This skill appears to be a focused EasyEDA Pro extension development helper, but before installing or using it you should: 1) Verify whether an index.d.ts file (the skill repeatedly cites it as authoritative) is actually included or available in your workspace — the provided package does not list it. If it is missing, ask the skill author or include a trusted index.d.ts from the official @jlceda/pro-api-types package. 2) Inspect/confirm the external GitHub repositories the skill may clone or recommend (pro-api-sdk, extension-dev-mcp-tools) before allowing the agent to run git clone / npm install / npm run build. 3) Be aware the skill will read project files (extension.json, code, type definitions) and may run build/debug tools — do not run it in a workspace containing secrets or credentials. 4) If you plan to allow autonomous operation, prefer supervised mode until you validate its behavior (especially because of the missing index.d.ts). If the author cannot explain the missing type file or provide a trusted source for it, treat the package as incomplete and do not run automated builds.Like a lobster shell, security has layers — review code before you run it.
latestvk972dkha4j9z9cr88jpetged7d83e6cx
License
MIT-0
Free to use, modify, and redistribute. No attribution required.