ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

考公备考追踪

v1.0.3

朱批录 · 国考备考追踪 Skill。当用户发来套题成绩、错题截图、备考打卡或复习进度时触发。 核心功能:识别错题截图 → 分类错题原因 → 更新本地记录 → 生成每日总结 → 导出 Excel / 同步飞书。 触发关键词:做了一套题、今天做了、错了几道、帮我分析、备考打卡、行测、申论、 判断推理、资料分析、言语...

0· 180·0 current·0 all-time
by@kagurananaga
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (exam study tracker: capture wrong-question screenshots, classify reasons, update local records, export Excel, optionally sync to Feishu) matches the included scripts and data layout. Required capabilities (local JSON storage, image handling, optional Feishu sync and optional multimodal model calls) are consistent with the stated purpose.
Instruction Scope
Runtime instructions and code operate within scope: parse messages, optionally call a multimodal model, run local OCR fallback, persist JSON under ~/.openclaw/skills/.../data, generate exports and optionally upload to Feishu. One minor inconsistency: SKILL.md/README emphasize 'not depending on local OCR', yet a local OCR script (scripts/ocr_image.py) is included and can be invoked as a fallback. The MULTIMODAL_PROMPT forces detailed outputs (full visual_description/question_text), which means large amounts of image-derived content will be sent to whichever multimodal model you configure — this is expected for the feature but relevant to privacy.
Install Mechanism
No external arbitrary download/install spec in the skill manifest (instruction-only install). package.json lists normal JS dependencies (xlsx) and optional pip instructions for PaddleOCR. The code runs local scripts and dynamically generates a Python script for openpyxl. The only significant installs are optional: paddlepaddle/paddleocr (large model downloads) and optional sharp. No use of obscure download URLs or extracted arbitrary archives was found.
Credentials
The skill does not require environment variables by default. Optional sensitive credentials are stored in a config.json (not env vars): multimodal model API config and Feishu credentials (app_id/app_secret/doc_token) — these are proportional to optional features (remote multimodal model usage and Feishu sync). Users should be aware that enabling these features will cause images/text to be transmitted to those third parties. All image data and base64 strings are stored locally by default.
Persistence & Privilege
The skill persists data in ~/.openclaw/skills/kaogong-study-tracker/data/ (daily records, wrong_questions.json, backups, review state). It creates a local flag file on first run to avoid repeating onboarding. Croned scripts (daily_summary, review_reminder) are present but run only if enabled in workspace.yaml — the skill itself does not force always:true. This local persistence is consistent with its purpose.
Assessment
This skill appears to do exactly what it says: it stores your study logs and screenshots locally, can export an Excel with embedded screenshots, and can optionally upload selected data to your Feishu account if you configure Feishu app credentials. Before installing or enabling optional features, consider: - Privacy: screenshots are stored as base64 in ~/.openclaw/skills/kaogong-study-tracker/data/ (wrong_questions.json). If you keep sensitive content in images, do not enable cloud sync. - Feishu sync: only occurs if you create/configure feishu settings in config.json; it will upload images to your Feishu app/account. Only provide app_id/app_secret/doc_token if you trust that destination. - Multimodal model use: to auto-parse images the skill sends images/text to whichever multimodal model you configure (remote models will receive the image-derived data). If you prefer fully local processing, configure/use the included OCR (scripts/ocr_image.py with PaddleOCR) but note that installing paddlepaddle/downloaded models can be large. - Optional dependencies: exporting with embedded images runs a dynamically generated Python script and requires openpyxl (the script assumes you have a working python/python3 and openpyxl). The skill’s package.json provides pip/npm hints; these installs are normal but can be heavy (PaddlePaddle). - Minor docs/code mismatch: docs say “doesn't rely on local OCR”, but a local OCR fallback (ocr_image.py) is present — behavior depends on your configuration. If you want to proceed: inspect and control config.json before enabling Feishu/multimodal models, and be comfortable with local storage of image data. If you do not want any cloud transmission, avoid configuring remote multimodal model API keys and Feishu credentials.
scripts/export_xlsx.js:34
Shell command execution detected (child_process).
!
scripts/feishu_doc.js:194
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

kaogong gongkao study-tracker exam-prep china flashcard productivityvk97dfyptgkygrvsp6nvhgrc0c5834kd7latestvk975rfgfj2zddgf8cgnhksf9fx837nn2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments