Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
数安云智数据分类分级
v1.0.1数安云智数据分类分级同步接口 - 用于批量处理字段信息的分类分级。支持敏感数据识别、数据分类、数据分级等功能。使用前需配置API地址和认证密钥。
⭐ 0· 346·0 current·0 all-time
byPILAO@jianmo1997
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, declared primary credential (SHUYAN_API_KEY), required binary (curl), and the included scripts all align with a client that sends batch field metadata to a classification API. The homepage pointing at localhost looks like a placeholder rather than an external service but is explainable given the default API_URL value.
Instruction Scope
SKILL.md and the scripts instruct only to POST JSON to the stated endpoint and to perform health checks; they do not request unrelated files, credentials, or network destinations. The SKILL.md suggests storing the API key in environment variables or in ~/.openclaw/openclaw.json (which is a normal configuration choice but has privacy implications).
Install Mechanism
There is no install spec (instruction-only), which minimizes install-time risk. However, the Python script expects the third-party 'requests' package but does not provide an automated install step; users will need to pip install requests. No remote downloads or archives are used.
Credentials
The skill declares SHUYAN_API_KEY as the primary credential which is appropriate. The code and SKILL.md also rely on SHUYAN_API_URL, but SHUYAN_API_URL is not listed in the registry 'required env vars' metadata (minor inconsistency). Both scripts include a default value ('sk-secret-key' and 'http://localhost:8080'), which is likely a placeholder; the hardcoded default key is not a secret but may mask misconfiguration.
Persistence & Privilege
The skill does not request 'always: true', does not modify other skills, and has no installation step that persists privileged system changes. It is user-invocable and can be invoked autonomously per platform defaults, which is expected for a skill of this type.
Scan Findings in Context
[no-findings] expected: The pre-scan found no regex-based signals. Manual review found functional issues (a typo in the Python health command: ShucanClassifier) but no patterns indicating credential exfiltration or hidden endpoints.
Assessment
This skill appears to be a straightforward client for a local/remote data-classification API, but check a few practical things before installing:
- Confirm the API_URL you intend to use (the defaults and the skill homepage point to localhost; ensure you set SHUYAN_API_URL to the correct service and not a public endpoint you don't control).
- Protect the API key: avoid storing long-lived keys in plain text if possible; if you store the key in ~/.openclaw/openclaw.json be aware that this is local plaintext configuration. Prefer environment variables or short-lived credentials.
- Verify the data you will send — sampleList and other fields can contain personal data; ensure you comply with your data-handling policies before sending real PII to the configured endpoint.
- The Python script requires the 'requests' package and contains a bug: the health command references 'ShucanClassifier' (typo) and will fail; if you plan to use the Python CLI, either patch that line to use ShuyanClassifier or rely on the shell script.
- Consider scoping the API key (least privilege) and rotating it regularly.
If you want, I can produce a patched version of the Python script fixing the health-check typo and add a small README note to declare SHUYAN_API_URL as a required env var.Like a lobster shell, security has layers — review code before you run it.
latestvk97em0n5k3n0b39rxvzevcyyks824fxa
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔒 Clawdis
Binscurl
Primary envSHUYAN_API_KEY