ClawHub

bookmark

v1.0.0

Search and browse the Shuqianlan bookmark library by keyword, latest updates, categories, articles, or links in a read-only mode.

1· 190·1 current·1 all-time
by@jvy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Skill name/description (search/browse Shuqianlan) match the included Node script and the reference map. Minor mismatch: the SKILL.md metadata requires the 'node' binary, but the registry 'Required binaries' list is empty; the script will need Node to run.
Instruction Scope
Runtime instructions are narrowly scoped to five read-only commands (search, latest, categories, articles, links) that run the bundled Node script and return its output. The SKILL.md documents an optional BOOKMARK_BASE_URL environment override and a --base-url flag; if used, the script will fetch from that URL instead of the default site (this is useful for testing but could be abused to make the agent fetch arbitrary endpoints).
Install Mechanism
No install spec (instruction-only plus bundled JS). Nothing is downloaded or executed at install time beyond running the included Node script at runtime.
Credentials
No credentials or required env vars are declared. The script reads an optional BOOKMARK_BASE_URL env var to change the data source; this is reasonable for a client but should be noted since it allows pointing requests at arbitrary hosts. No secret exfiltration appears in the code.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or global agent settings. It can be invoked autonomously per platform default, which is expected for a functional skill.
Assessment
This skill appears to do what it claims: run a bundled Node script to query the public Shuqianlan bookmark site. Before installing, verify you have Node available (SKILL.md requires it, though the registry metadata omitted it). Note the optional BOOKMARK_BASE_URL env var and --base-url flag: by default the skill fetches https://shuqianlan.com, but if you or a user sets the base URL the skill will fetch from that host — this is useful for testing but could be used to make the agent request arbitrary or internal endpoints (SSRF risk). The skill does not ask for credentials or write persistent state. If you want extra assurance, review the full scripts/bookmark.mjs file locally to confirm there are no hidden network endpoints or telemetry before enabling autonomous invocation.
scripts/bookmark.mjs:3
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bwx34e01mrh1m7gq1w65n7h82xh2y

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments