Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and examples match a cycling tracker (logging, speed analysis, routing). However, the bundle is instruction-only yet references usage of an external CLI ('clawhub') in SKILL.md/README and _meta.json declares a binary dependency on curl — the registry metadata shown to the user (Requirements: none) contradicts _meta.json. It's reasonable for a tracker to call external tools, but the declared requirements should match.
Instruction Scope
SKILL.md only shows example commands that run 'clawhub cycle ...' and does not instruct reading unrelated files or environment variables. That keeps scope narrow. However, those commands rely entirely on an external CLI (clawhub) whose behavior is not included here — the instructions give the agent broad ability to run that CLI, which could perform arbitrary actions. The skill does not document where ride data is stored or what endpoints clawhub uses.
Install Mechanism
There is no formal install spec in the registry entry (instruction-only), but README suggests 'npx clawhub@latest install cycling-tracker' and SKILL.md examples call the 'clawhub' CLI. That implies a dependence on installing a third-party CLI via npx, which will fetch code at install time. Additionally, _meta.json declares a 'curl' binary requirement. The combination (no packaged code in the skill, but external CLI install implied) increases risk because the external CLI's code and network activity are outside this skill bundle.
Credentials
The skill does not request environment variables, credentials, or config paths. For the declared purpose (tracking, analysis, routing) this is proportionate. Still, because it depends on an external CLI, that CLI might request its own credentials — that is not documented here.
Persistence & Privilege
Skill flags are default (not always-on, user-invocable, model invocation allowed). There is no evidence the skill requests permanent presence or modifies other skills/config. This is appropriate for its purpose.
What to consider before installing
This skill appears to be a simple, instruction-only cycling tracker, but there are small inconsistencies you should resolve before installing: (1) _meta.json lists 'curl' as a required binary although the registry summary showed none — confirm whether curl is needed. (2) The SKILL.md and README expect an external 'clawhub' CLI and instruct using 'npx clawhub@latest install ...' — understand and audit that CLI before running it (npx will fetch and execute remote code). (3) Ask the author where ride data is stored, what network endpoints are contacted, and whether any credentials are required by the external CLI. If you cannot verify the clawhub package and its behavior, avoid installing or run it in a restricted environment (isolated VM/container) and inspect the CLI code before granting network or filesystem access.Like a lobster shell, security has layers — review code before you run it.
latest
Cycling Tracker
骑行追踪工具,记录你的骑行旅程。
功能
- ✅ 骑行记录
- ✅ 速度分析
- ✅ 路线规划
- ✅ 训练计划
- ✅ 统计报告
使用
# 记录骑行
clawhub cycle log --distance 20 --time 60
# 速度分析
clawhub cycle speed --distance 20 --time 60
# 路线规划
clawhub cycle route --distance 30 --type "scenic"
# 查看统计
clawhub cycle stats --month 2026-04
定价
| 版本 | 价格 | 功能 |
|---|---|---|
| 免费版 | ¥0 | 基础记录 |
| Pro 版 | ¥39 | 全部功能 |
| 订阅版 | ¥9/月 | Pro+ AI 计划 |
Comments
Loading comments...