Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
bd1
v1.0.0BD-1 品牌分析技能。专为品牌设计研究助理场景设计,包含四个核心模块: 模块A 拆案例——当用户提供品牌案例、参考图、竞品列表时触发,提取共性、差异、策略与可复用方法; 模块B 组织设计逻辑——当用户提供品牌背景、用户画像、设计方向等散乱资料时触发,整理成可讲清楚的方案逻辑; 模块C 追行业——当用户给出行业关...
⭐ 0· 50·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (brand analysis modules A–D) match the included instruction files and output formats. However the runtime requirement to always produce a .pptx saved to C:\Users\Lenovo\Desktop\... is an unnecessary, hard-coded assumption about OS and username and is disproportionate to the stated purpose (a generic save location or prompting the user would suffice).
Instruction Scope
Instructions tell the agent to generate a PPTX and write it to a specific desktop path. That requires filesystem write access and assumes Windows and a user named 'Lenovo'. The SKILL.md does not instruct reading other system files or credentials, but the hard-coded path grants the skill explicit write access to a likely sensitive user location (Desktop). The skill also instructs installing/using pptxgenjs, which implies the agent will execute Node/npm commands or run JS — this is not impossible but expands what the agent must do at runtime.
Install Mechanism
There is no install spec included (instruction-only), which is low-risk. The SKILL.md suggests using 'pptxgenjs' and instructs the user to run 'npm install -g pptxgenjs' if missing; this is a runtime dependency suggestion rather than an automated install. No external download URLs or extracted archives are present.
Credentials
The skill declares no environment variables or credentials — appropriate for its purpose. However it expects access to a specific filesystem path (C:\Users\Lenovo\Desktop) which is an implicit privilege request; this is unnecessary and may be inappropriate for users on non-Windows systems or with different usernames.
Persistence & Privilege
Skill is not forced-always, is user-invocable, and allows model invocation (platform defaults). It doesn't request persistent privileges, modify other skills, or claim system-wide config changes.
What to consider before installing
This skill appears to do what it says (brand analysis + create a PPTX), but it has two awkward and potentially problematic assumptions: (1) it always tries to save the output to C:\Users\Lenovo\Desktop\BD1_....pptx — a hard-coded Windows path and username — which may fail or write files in an unexpected place; (2) it expects pptxgenjs (npm) to generate the PPTX, so the agent/runtime may need Node/npm available or ask you to install it. Before installing or enabling the skill, consider asking the author to: (a) remove the hard-coded path and prompt the user for a save location or use a platform-agnostic default (e.g., ask where to save or use the agent-provided downloads folder); (b) document exactly how the PPTX is generated and whether the agent will execute Node/npm commands; (c) confirm the skill will not read other files beyond what you provide. If you proceed, ensure the agent runs in an environment where you control file writes (or sandboxed) and verify any requested npm installation is performed by you rather than automatically by the agent.Like a lobster shell, security has layers — review code before you run it.
latestvk977kh6q1evhgzda6namke8079842n5m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.