ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cmdb Query

v1.0.0

查询 CMDB 资产数据。支持按主机、应用、数据库等资源类型查询,支持名称过滤。

0· 142·1 current·1 all-time
by@jbhasbc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md examples and lib/query.py are consistent: the skill queries an internal CMDB and uses curl/jq for CLI examples. Declared required binaries (curl, jq) match the examples. However, the skill embeds a username/password in both SKILL.md and the code instead of using a declared credential or environment variable — this is unexpected even for a read-only query tool.
Instruction Scope
SKILL.md instructions stay within the stated purpose (how to log in and query resources). They include explicit login endpoint, sample curl commands and the clear instruction to use an Authorization token. But the documentation exposes a plaintext credential pair (openclaw_read / JzXCxTaDxE), which broadens the attack surface and is beyond what a typical instruction-only skill should publish.
Install Mechanism
No install spec (instruction-only plus a small helper script). Nothing is downloaded from external URLs and no packages are installed by the skill, which limits supply-chain risk.
!
Credentials
The skill declares no required environment variables or external credentials, yet both SKILL.md and lib/query.py include hard-coded credentials. The code also sets verify=False for TLS requests (skips certificate validation). Embedding credentials in files and disabling TLS verification are disproportionate to the stated purpose and increase risk of credential exposure and MITM attacks on internal traffic.
Persistence & Privilege
The skill is not always-enabled and is user-invocable (normal). It does not request system-wide persistence or modify other skills' configs. It does cache a token in module-level variables at runtime (ephemeral within the process), which is normal for a short-lived helper.
What to consider before installing
This skill appears to be a legitimate CMDB query helper, but it embeds plaintext credentials and disables TLS verification. Before installing or using it: verify the source and the internal homepage (10.255.227.233), confirm the provided account's intended scope (read-only and limited), remove hard-coded secrets (move them to secure environment variables or a secrets store), enable TLS validation (remove verify=False), and consider rotating the exposed password. Also avoid granting the skill autonomous/invisible access until you are comfortable with its network targets and the credential handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cv10ejnps46q47gk1d95ys9835zrq

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💾 Clawdis
Binscurl, jq

Comments