Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Chatbot Engine
v1.0.0智能对话引擎 - 多轮对话与意图识别 | Chatbot Engine - Multi-turn dialogue and intent recognition
⭐ 0· 137·1 current·1 all-time
byLv Lancer@kaiyuelv
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description describe a multi-turn chatbot and the included Python modules implement exactly that (dialogue manager, intent classifier, KB, LLM adapter). The included LLMAdapter (openai/anthropic/local/mock) and knowledge-base/vector logic align with the stated purpose.
Instruction Scope
SKILL.md gives only standard usage/installation instructions (pip install -r requirements.txt and usage examples). It doesn't instruct the agent to read unrelated files or exfiltrate data. Runtime code does perform file I/O (save/load sessions, save/load KB/intents) which is expected for this purpose.
Install Mechanism
There is no install spec beyond 'pip install -r requirements.txt'. The requirements.txt does not include packages that the code imports (e.g., sentence_transformers and fuzzywuzzy are used but not listed). That mismatch may cause runtime failures or unexpected manual installs. No remote downloads are present, but missing deps increase friction and hidden manual steps.
Credentials
The skill declares no required environment variables, but LLMAdapter reads provider-specific env vars like OPENAI_API_KEY / ANTHROPIC_API_KEY (os.getenv(f"{provider.upper()}_API_KEY")). Those keys are not declared in metadata. The adapter will call external LLM providers if provided API keys are available — this is expected for a chatbot but the omission in declared env requirements is a transparency/regression issue and could lead to accidental exposure of keys if the agent supplies them.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system-wide agent settings. It stores/loads sessions and KB under paths provided by callers; that is normal for this kind of skill.
What to consider before installing
This package largely implements a local chatbot, but review and proceed cautiously:
- Missing declared env vars: The LLM adapter will read env vars like OPENAI_API_KEY or ANTHROPIC_API_KEY if you initialize with those providers; these were not listed as required. Do not install or run the skill with sensitive API keys in your environment unless you trust it.
- Missing dependencies: The code imports sentence_transformers and fuzzywuzzy, but requirements.txt does not list them. Either add those to requirements.txt or run in 'mock' or 'local' mode to avoid installing them. Unexpected manual dependency installation increases risk if you copy commands from third-party sources.
- Network calls and data flow: If you configure provider='openai' or 'anthropic' the adapter will use the respective client libraries to call external APIs and send prompts/context. That means user messages and context can be transmitted to those services — expected for a chatbot but important to know for sensitive data.
- Run in a sandbox first: Execute unit tests and examples in an isolated environment (virtualenv/container) and try provider='mock' to observe behavior without network calls.
- If you need to use production LLMs, explicitly set and scope API keys and audit network usage; consider adding explicit declarations to requirements and SKILL.md documenting env var names and what will be transmitted.
- If you want to be stricter: update requirements.txt to include sentence_transformers and fuzzywuzzy (or modify code to optionally import them), and document the env vars the adapter will read. If you cannot verify these, treat the package as untrusted code and do not provide real API keys or sensitive data.Like a lobster shell, security has layers — review code before you run it.
latestvk976y3pyqb2jfzg7nb1y8dwgpx834fxn
License
MIT-0
Free to use, modify, and redistribute. No attribution required.