ClawHub

Data Automation Service

v1.0.0

提供數據清理、自動化流程設計及報告生成,並整合多種數據源API的數據自動化服務。

0· 1.6k·29 current·33 all-time
by@katrina-jpg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims API integrations and data-pipeline automation but declares no required environment variables, credentials, or config paths. Real integrations with external data sources normally require API keys/credentials and connector configuration, so the declared requirements are incomplete and disproportionate to the stated purpose.
Instruction Scope
SKILL.md contains simple runtime instructions for a conversational workflow and an example user interaction, which is appropriate. However it also includes an explicit shell command (npx clawhub@latest install data-automation-service) that would fetch and run code from npm — this command is not reflected in the registry install spec and expands the agent's runtime behavior beyond the written instructions.
!
Install Mechanism
There is no install spec in the registry, but SKILL.md instructs running 'npx clawhub@latest ...', which would download and run code from npm using the 'latest' tag. Using npx@latest without a pinned version can pull arbitrary upstream changes and is higher-risk; the registry should instead declare an explicit install mechanism and provenance.
!
Credentials
The skill lists no required env vars or primary credential, yet claims to integrate multiple data-source APIs. That mismatch suggests missing declarations: the skill will likely need API keys, database credentials, or OAuth tokens; requesting none upfront is disproportionate and could hide later ad-hoc credential prompts.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges and is user-invocable only. There is no evidence it modifies other skills or global agent config.
What to consider before installing
The SKILL.md mostly describes a consulting-style data-automation workflow, but it includes an 'npx clawhub@latest install ...' instruction that would download and run code from npm even though the registry lists no install spec or published source. Before installing or running this skill you should: (1) ask the publisher for the package name, exact version, and source code or homepage so you can review what 'clawhub' and that installer do; (2) do not run the npx command with the 'latest' tag in a production environment — prefer a pinned version or inspect the package first; (3) expect that connecting to external data sources will require API keys or credentials — only provide minimal-scoped keys and avoid sharing high-privilege credentials; (4) if you must install, do so in an isolated/sandboxed environment and audit network activity and files the installer writes; and (5) if you can, request an explicit install manifest from the author (where code is hosted, checksums, and an audit trail). These steps will reduce risk; the current metadata is missing the provenance and credential details that would make the skill clearly safe to install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97csrb5m51fp8xzt96sdsrat981f6d1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments