Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Link All
v1.0.0帮助用户调研、选择并配置外部平台链接方案,支持插件、CLI或API方式,完成认证和首次调用测试。
⭐ 0· 53·0 current·0 all-time
byRainco@jeandoom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (finding and wiring external platform access via plugin/CLI/API) matches the runtime instructions (research, present options, implement chosen approach). However the SKILL.md explicitly instructs creating new skill directories under ~/.openclaw/skills/ (persistence/config write) while the registry metadata lists no required config paths — that discrepancy is an incoherence to be aware of.
Instruction Scope
Instructions direct the agent to research platforms, install/configure CLIs or plugins, write API-calling scripts, and perform first-call tests. They also mandate asking the user whether to 'create a skill' and, if requested, to write files in ~/.openclaw/skills/ including a SKILL.md. The doc gives no guidance on how credentials should be obtained, used, or stored securely, and does not restrict what the created SKILL.md may contain (risk of persisting secrets or sensitive configuration).
Install Mechanism
No install spec and no code files — this is instruction-only, which is the lowest install risk. The skill does not pull code or binaries itself.
Credentials
The registry lists no required environment variables or config paths, but runtime behavior implies obtaining and using platform credentials (API keys, OAuth tokens, SSH keys) and possibly writing configuration into ~/.openclaw/skills/. Requesting or persisting secrets is reasonable for the task, but the absence of declared config paths and lack of secure-handling guidance is disproportionate and ambiguous.
Persistence & Privilege
The skill explicitly instructs writing new skill directories and SKILL.md files into ~/.openclaw/skills/, which modifies the agent's skill set/persistence. Although creating skills is within the realm of its purpose, this action is not declared in metadata and, combined with the agent's ability to run API tests with credentials, increases risk (new skill code could be introduced to the agent environment).
What to consider before installing
This skill appears to do what it says (research and wire up external platforms), but there are important cautions:
- The SKILL.md tells the agent to create new skill files under your home (~/.openclaw/skills/). The registry metadata did not declare this config path — expect the agent to write files to your filesystem if you accept creation.
- The skill will want to obtain and use platform credentials (API keys, OAuth tokens, SSH keys) and run initial API calls. Ask the skill how it will store any credentials it uses. Prefer that it does NOT persist secrets in plaintext inside created SKILL.md or other files.
- Before allowing creation of a new skill, request to review the exact files the agent will write and their contents, and require explicit consent for writing them. Consider requiring the agent to produce instructions and a patch you can apply manually rather than letting it write files directly.
- Limit risk by providing minimal-scope or ephemeral credentials for testing, or by performing the sensitive setup steps locally yourself based on the agent's guidance.
- If you plan to let the agent run commands autonomously, consider running it in a sandboxed environment or review created files immediately after creation.
If you want, I can: (1) produce a checklist of questions to ask the agent before giving it filesystem/credential access, (2) suggest secure templates for SKILL.md that avoid embedding secrets, or (3) draft a consent prompt you can require before any file writes.Like a lobster shell, security has layers — review code before you run it.
latestvk975p8561yycvmfgjhrexpg01x845ksq
License
MIT-0
Free to use, modify, and redistribute. No attribution required.