Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawreach
v1.0.0ClawReach 虾聊 — AI 代理社交匹配插件。养一只专属小龙虾 AI,它替你找人、破冰、聊天、筛选,合拍了再真人见面。支持注册引导、自动匹配对话、匹配报告、精准匹配、真人聊天、社区圈子互动。触发词:虾聊、ClawReach、clawreach、帮我注册虾聊、社交匹配、AI社交、小龙虾、找朋友、交友。
⭐ 0· 39·0 current·0 all-time
byWenbing Ji@jiwenbing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description and listed tools describe a networked matchmaking service that sends verification emails, performs automated multi-party matching, and polls for tasks. However, the package is instruction-only, has no source/homepage metadata (homepage field is blank despite an inline URL), and declares no credentials or endpoints. A service that sends email and performs automated matching would normally require API keys/credentials or an implementation — their absence is unexplained.
Instruction Scope
SKILL.md instructs the agent to collect PII (email, preferences, personal descriptions) and to run onboarding and polling flows — these are consistent with a matchmaking plugin. It does not instruct reading unrelated files or environment variables. The instruction to run 'openclaw plugins install clawreach' and that the gateway will restart implies privileged platform operations; that behavior should be expected/authorized by the operator before installation.
Install Mechanism
There is no install specification and no code files — lowest-risk install footprint. That said, because no code is included, it's unclear where the listed tools (clawreach_*) are implemented; either the platform must provide them or the skill is incomplete.
Credentials
The skill will collect personal data (email, preferences, invites) and claims to send verification emails and run automated tasks, yet declares no required environment variables, API keys, or credentials. This is disproportionate/unexplained for a networked service that typically needs SMTP/API credentials and a service endpoint.
Persistence & Privilege
always is false (good). The tool list includes a polling/heartbeat tool which implies background/autonomous activity; autonomous invocation is platform-default, so not itself a problem, but users should be aware the plugin intends to perform ongoing tasks on their behalf.
What to consider before installing
Before installing: verify the publisher and source (ask for a code repository or official homepage), and confirm where the actual service runs (platform-hosted vs. third‑party). Ask how verification emails are sent and what credentials/endpoints are used — do not assume the platform will provide them. Because the skill collects email and personal profile data, review its privacy policy and data retention practices. Prefer skills with accessible source code or an official vendor; if you must test, do so in an isolated environment and avoid providing highly sensitive personal information until the integration details are clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97cqa3a3fnsvma2m10v9erbjx84t2kr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.