ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coding Plan Usage

Queries the remaining hours of Alibaba Cloud Coding Plan using a command-line tool. Invoke when user asks for Coding Plan usage.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 51 · 0 current installs · 0 all-time installs
by@jeeaay
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the Python script uses a headless/automated browser (agent-browser) to open Alibaba pages and extract Coding Plan usage. No unrelated cloud credentials are requested. The script also supports session persistence (session name) to reuse login state, which is reasonable for this purpose.
!
Instruction Scope
Runtime instructions tell the agent to run scripts/aliyun.py and to decide whether the environment is a sandbox vs real system and (in real environments) install missing dependencies. The script will open web pages, take screenshots saved to the working directory, and parse page snapshots. The instructions give the agent broad discretion (detect sandbox and install global packages), which increases risk and scope creep beyond simply 'query usage.'
Install Mechanism
The skill has no formal install spec (instruction-only), but README and SKILL.md indicate installing agent-browser via 'npm install -g agent-browser' if missing. Installing a global npm package on the host is a moderate-risk action (downloads and executes third-party code). The skill itself does not auto-install, but it instructs that behavior.
!
Credentials
The script searches for and parses .env files (parent of scripts directory and current working directory) and reads environment variables such as AGENT_BROWSER_PATH, AGENT_BROWSER_DEV_MODE, and AGENT_BROWSER_SESSION_NAME. Reading workspace .env files can expose unrelated secrets; silently reading .env without explicit user consent is disproportionate for a simple usage query. Session persistence reuses local browser storage/cookies, which may retain authentication state.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It uses a named agent-browser session to persist login state (cookies/localStorage) which is expected for convenience but means login/session data can be reused across runs — be aware of leftover auth state on the host.
What to consider before installing
This skill appears to implement its stated function, but exercise caution before running it on a machine that contains sensitive environment variables or credentials. Specific points to consider: - The included script will look for and parse .env files (parent of the scripts folder and current working directory). If you have any secrets in those files, the script may read them — move or redact .envs before running. - If agent-browser is missing, the README suggests installing it globally with npm. Installing third-party global packages alters the system and pulls code from npm; review the agent-browser project and prefer installing in an isolated environment or container. - The script opens the Alibaba login page and may save a login screenshot to the current directory and reuse browser session data (cookies/localStorage). Run it in a throwaway/isolated directory or VM if you don't want persistent auth artifacts. - If you want to proceed: review the full scripts/aliyun.py file yourself, run the script in an isolated environment, do not run it on a machine with high-value credentials or secrets, and avoid allowing the skill/agent to auto-install packages without your explicit confirmation. If you’d like, I can (a) point out the exact lines that read .env files and invoke subprocesses, (b) suggest a minimal-safe checklist to run this locally (container command example), or (c) produce a trimmed-down version of the script that avoids auto-reading workspace .env files.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk978nswh34sbaj9cs207mv7kd583wxw0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Coding Plan Usage Helper

用于查询阿里云 Coding Plan 余量的命令行工具。

何时使用

在以下场景主动调用:

  • 用户希望“查询阿里云 Coding Plan余量”

执行流程

  1. 直接运行 Python 脚本 scripts/aliyun.py
  2. 若运行时报 agent-browser 不存在:先判断是否沙盒环境;仅真实环境缺失时安装依赖,否则提示用户:沙盒中找不到依赖是正常现象
  3. 输出并解释结果

注意运行时的路径,切换到包含脚本的目录或使用完整路径执行。

如何运行

直接运行 Python 脚本 scripts/aliyun.py

macOS / Linux:

python scripts/aliyun.py

Windows(PowerShell):

python .\scripts\aliyun.py

如果命令存在,直接进入“输出解释规则”。

输出解释规则

  • 未登录:会自动打开阿里云首页并进入登录页,保存截图到当前目录aliyu-login.png,终端提示你扫码;扫码后再次运行即可。如果频道允许发送图片 你可以直接发给用户,否则可以帮用户打开图片。

截图完成后脚本会停止运行,当用户回复已经完成扫码登陆后,再次运行即可。

示例输出:

Already logged in: false
Entered login page: true
请使用阿里云 App 扫码完成登录后,再次执行此程序以查询用量。
Login screenshot: /opt/coding-plan-usage/aliyu-login.png
Scan completed: false
  • 已登录:会自动进入 Coding Plan 页面并输出余量 JSON。

示例输出:

{
  "hours5": {
    "usage": "0%",
    "resetTime": "2026-03-14 18:27:45"
  },
  "week": {
    "usage": "27%",
    "resetTime": "2026-03-16 00:00:00"
  },
  "month": {
    "usage": "15%",
    "resetTime": "2026-04-09 00:00:00"
  }
}

成功读取到用量后,程序会自动关闭浏览器会话。

Files

3 total
Select a file
Select a file to preview.

Comments

Loading comments…