ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

国顺VPN节点获取

v1.0.0

国顺VPN节点获取技能 - 江苏国顺智能科技有限公司专用。自动搜索、测试并整理可用的V2Ray/Clash免费节点订阅链接,验证可用性,输出可导入的节点配置。功能包括:(1)搜索最新免费节点订阅 (2)验证节点可用性 (3)输出各客户端导入教程。使用场景:员工需要VPN时触发,自动获取可用节点并指导导入。

0· 26·0 current·0 all-time
by@jimmygx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (gather and verify free V2Ray/Clash nodes) matches the SKILL.md and the included verified-nodes references. No unexpected env vars, binaries, or install actions are requested that would be unrelated to fetching/testing subscription URLs.
Instruction Scope
Instructions are focused on searching for subscription links, testing them with curl (HTTP status), and producing import tutorials; they do not instruct reading local files or using credentials. Concern: the verification method relies only on HTTP status codes (curl returning 200) which can yield false positives — it doesn't validate that the VPN proxy actually forwards traffic or that credentials/protocols work. Search steps are high-level (keywords) and may imply web scraping of third-party sites, but that is within the stated purpose.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low risk from an install/execution perspective because nothing is written to disk by the skill package itself.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate for a tool that only aggregates public subscription URLs. The provided content references external provider URLs, but the skill itself does not ask for secrets.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system privileges. Autonomous invocation is allowed (platform default) but is not combined with other concerning privileges.
Assessment
This skill appears to do what it claims: gather and do a basic availability check on free V2Ray/Clash subscription links. Before installing, consider: (1) policy — using free VPN nodes may violate company security or acceptable-use policies; check with IT. (2) Trust — the skill points to third-party domains (yoyapai.com, naidounode.cczzuu.top); verify those sources yourself because malicious or compromised nodes can intercept traffic. (3) Verification limits — the curl HTTP-200 check only confirms the URL is reachable, not that the node properly proxies traffic or is safe; a stronger test would attempt proxying traffic through the node. (4) Client safety — downloading proxy clients from unofficial sources can be risky; prefer official releases. (5) Sensitive actions — do not use these free nodes for banking or sensitive logins. If you want a higher assurance assessment, provide logs showing exactly what external requests the agent will make or have IT vet the listed provider domains and run an actual connection-through-proxy test.

Like a lobster shell, security has layers — review code before you run it.

clashvk97ckba1r8we7x5v29r4t82eyd845vctlatestvk97ckba1r8we7x5v29r4t82eyd845vctv2rayvk97ckba1r8we7x5v29r4t82eyd845vctvpnvk97ckba1r8we7x5v29r4t82eyd845vct

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments