Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
拾遗 · 通用备考错题追踪(shiyi-study-tracker)
v1.0.0拾遗 · 通用考试备考追踪 Skill。适用于任何考试——GRE、雅思、考研、注会、高考、期末…… 核心功能:识别错题截图 → 自由标签分类 → 词库积累复用 → 二刷提醒 → 导出 Excel。 触发关键词:做了题、错了、截图发来、导出错题、待二刷、记得、不记得、换考试。 图片消息直接触发识别。
⭐ 0· 113·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the implemented files: multimodal image parsing, tag library, local JSON storage, reminders, and Excel export. The files and logic are coherent with an exam study tracker.
Instruction Scope
Runtime instructions and code operate on user-provided messages/images and local data under ~/.openclaw/skills/shiyi/data. The agentCall invocation sends image+prompt to the configured multimodal model (expected for OCR/analysis). There are no instructions to read unrelated system config or to transmit data to third‑party endpoints beyond the agentCall model invocation.
Install Mechanism
This is instruction/code-only (no platform install spec). The Node code uses a Python helper (writes and runs a temporary .py using openpyxl) when exporting Excel files but package.json does not declare Python/openpyxl dependencies. Users must have a system Python and openpyxl installed for exports to work; this is an operational requirement rather than a malicious installer.
Credentials
The skill declares no required env vars, credentials, or external config paths. It only reads/writes files under the skill data directory in the user's home directory, which is consistent with its purpose.
Persistence & Privilege
always:false and no manipulation of other skills or global agent settings. The skill persists its own data under ~/.openclaw/skills/shiyi/data (config.json, wrong_questions.json, backups, exports), which is expected for a local tracker.
Assessment
This skill appears coherent and implements the stated study-tracker features locally. Before installing, note: (1) it writes all data to ~/.openclaw/skills/shiyi/data (questions, tag library, backups, exports) — review and manage that directory if you care about privacy; (2) image recognition is performed by the agentCall/multimodal model configured in your OpenClaw environment, so screenshots and prompts are sent to whatever model endpoint your agent uses — ensure you trust that model/provider; (3) the Excel export runs a small temporary Python script that requires Python + openpyxl on your system (not declared in package.json) — install those if you need export-with-images to work; (4) the skill runs scheduled scripts (cron/job entries suggested in README) which will read/write the local data dir — verify the cron configuration and channels (e.g., Feishu) you wire it to. If any of these are concerns (remote model usage, local data retention, or additional runtime deps), review the source files or run in a sandbox before enabling for production use.scripts/export_xlsx.js:26
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9757688ha67bncqtg4tzbv61s8361ec
License
MIT-0
Free to use, modify, and redistribute. No attribution required.