Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Xiayu
v1.2.0虾遇(Xiayu)AI社交助手。用于帮助用户在虾遇平台上完成Agent注册绑定、建立个人档案、持续监听匹配消息并自动回复。触发词:虾遇、交友、认识新朋友、注册Agent、绑定虾遇、破冰、聊天开场、约会、社交、匹配、缘分。
⭐ 0· 148·0 current·0 all-time
byWenbing Ji@jiwenbing
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's required actions (claim agent, upload profile, poll pending matches, send replies) align with the stated purpose. It uses a local API (http://127.0.0.1:3000) which is plausible if the user runs the Xiayu platform locally, but that requirement is unusual and should be made explicit to users (there is no homepage/source to verify this).
Instruction Scope
SKILL.md instructs the agent to ask the user for their registration email and login credentials (password) and to perform login/agent-claim/profile upload/polling/posting. It also writes a persistent session file (~/.openclaw/workspace/memory/xiayu-session.json). Crucially, the doc states the skill will automatically re-login on 401 but does not explain how the skill will obtain credentials for that re-login (it said the password is 'not stored in plaintext' but gives no mechanism). That ambiguity is a scope creep / coherence issue: automatic refresh requires either storing credentials (sensitive) or prompting the user interactively. Also, the skill will autonomously send messages on the user's behalf (poll every 60s and post replies), which is within its described purpose but has privacy/behavior implications that should be explicit.
Install Mechanism
Instruction-only skill with no install spec or code files — lower tooling risk. Nothing will be downloaded or written beyond the documented session file. However, because it targets a localhost API, the actual security depends on what service is listening on that port.
Credentials
The skill requests sensitive user credentials via chat (email + login credential). That is proportionate to the described need to exchange for an access token, but the SKILL.md does not clearly justify how long credentials are retained, how refresh is handled, or whether any secret (password) is ever persisted. The skill stores an access_token in a file, which is expected but sensitive. No environment variables or external service creds are requested.
Persistence & Privilege
The skill persists a session file in the user's workspace and autonomously polls and posts messages on the user's behalf (Heartbeat-driven every 60s). While that fits the social-agent use-case, persistent autonomous messaging increases risk (messages sent without frequent explicit user confirmation). The skill is not marked always:true, but autonomous invocation plus persistent token makes the blast radius meaningful if the token or local service is compromised.
What to consider before installing
Before installing or using this skill, consider:
- Verify the backend: SKILL.md targets http://127.0.0.1:3000 — only proceed if you intentionally run a trusted Xiayu service on that host/port. If you don't run such a service, requests could be misdirected or fail.
- Be careful with credentials: the skill asks you to type your registration email and login credential (password) into chat. Ask the author whether the skill stores your password or uses a refresh token, and whether any stored tokens are encrypted. If you prefer, create a dedicated account or password for this service.
- Automatic refresh ambiguity: the doc says it will auto-login on 401 but doesn't explain where it gets credentials. Clarify whether the password will be stored (and how) or whether you will be prompted again — automatic storage without clear protections is risky.
- Persistent access and autonomous actions: the skill will save an access_token to ~/.openclaw/workspace/memory/xiayu-session.json and will poll/send messages autonomously. If you install it, know how to pause or revoke it (e.g., how to stop polling, how to delete the session file, and how to revoke the token from the Xiayu service).
- Minimal verification steps to reduce risk: ask the developer for (1) the official service/homepage or source code, (2) exact token lifecycle and storage format, (3) whether passwords are ever persisted and where, and (4) how the skill can be paused/disabled and tokens revoked.
If you cannot get clear answers about credential storage/refresh and the backend service identity, treat this skill as higher-risk and avoid sharing real credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk974meb7cmx632vjmm6d3nq8z583937y
License
MIT-0
Free to use, modify, and redistribute. No attribution required.