ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

aupu-knowledge-base

v1.0.1

当用户提及任何与本地文档、知识库、参考资料、历史记录、配置文件、说明文档、内部资料、已有内容、文件创建/读取等相关需求时,必须使用本技能从 /mnt/data 目录中检索或操作文件。

0· 214·1 current·1 all-time
byjianyi@jianeasy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description claim local knowledge-base access under /mnt/data, and the SKILL.md indeed instructs exactly that. No unrelated binaries, credentials, or installs are requested — the purpose and required capability are aligned.
!
Instruction Scope
The instructions require the agent to automatically scan /mnt/data and subdirectories for many file types and to trigger on a wide set of common keywords (e.g., '文档', '记录', '参考', '在哪里找', etc.). It explicitly says to attempt a lookup even when the user did not mention /mnt/data or a filename. That gives the skill broad discretion to read arbitrary local files and to activate frequently on ambiguous user input — this is scope creep relative to explicit, user-authorized file access.
Install Mechanism
Instruction-only skill with no install spec or code files. This is low-risk from an installation perspective (nothing gets written or executed on disk by an installer).
Credentials
No environment variables, credentials, or config paths are requested. However, the skill implicitly requires broad read access to the host's /mnt/data filesystem (and expects WebDAV mounts). That level of filesystem access can expose unrelated sensitive files; the skill does not declare any limits or filters to reduce that exposure.
!
Persistence & Privilege
always:false (good), but autonomous invocation is allowed (default). Combined with the aggressive trigger rules, the skill can be invoked frequently and will read local files whenever common keywords are used. Autonomous invocation alone is normal, but here it increases the risk because triggers are broad and file access is unrestricted.
What to consider before installing
This skill will actively search and read files under /mnt/data whenever users mention many common terms (documents, manuals, deploy steps, templates, '有没有', '在哪里找', etc.), even if the user did not explicitly ask to read local files. Before installing: - Confirm whether /mnt/data contains any sensitive or private files (credentials, secrets, personal data). If it does, do not enable this skill without restricting its access. - Prefer a mode requiring explicit user consent or an explicit file-path input before any file read. - Limit triggers to narrower, more specific phrases or require an explicit opt-in step. - Test the skill in a sandboxed environment with only non-sensitive sample files. - If you must use it, log/monitor what files it reads and consider running the agent under a sandbox or with a filesystem permission boundary so the skill cannot access unrelated data. Given these broad automatic-scan rules, treat the skill as potentially privacy-invasive unless you can constrain or audit its file access.

Like a lobster shell, security has layers — review code before you run it.

latestvk97afed848jappk9cbs166fp4n839gs9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments