ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

HV Analysis 横纵分析法

v1.0.0

横纵分析法(Horizontal-Vertical Analysis)深度研究Skill。由数字生命卡兹克提出,融合历时-共时分析、纵向-横截面研究设计、案例研究法与竞争战略分析。 当用户想要系统性研究一个产品、公司、概念、技术或人物时使用。纵轴追踪完整生命历程,横轴与竞品系统性横向对比,交叉产出洞察,最终输出P...

0· 110·1 current·1 all-time
byKhazix@kkkkhazix
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill describes producing a ‘排版精美的PDF研究报告’ using an included scripts/md_to_pdf.py and built-in CSS, but the package contains no code files. For a skill that promises an internal PDF renderer, having no script is a capability mismatch. The referenced GitHub repo (https://github.com/KKKKhazix/khazix-skills) may provide the script, but the skill manifest does not include or declare fetching it, creating an unexplained gap.
Instruction Scope
SKILL.md explicitly requires online searching and running parallel 'subAgents' to collect public information (founders, histories, competitor data). That is consistent with the stated research purpose. The instructions do not ask to read local files, environment variables, or unrelated system paths. They do, however, require collecting potentially sensitive PII from public sources (e.g., founder backgrounds) — which is expected for this use-case but worth noting.
!
Install Mechanism
There is no install spec (instruction-only), which is low-risk in general. However, the SKILL.md asserts an included md_to_pdf.py script and CSS for PDF generation even though no code files are present. That creates ambiguity: the agent may attempt to download/extract code at runtime (from the referenced GitHub or elsewhere). Runtime downloading/executing of external code is higher risk and should be explicit and auditable.
Credentials
The skill requests no environment variables, no credentials, and no config paths. That is proportionate to a web-research and writing task. There are no unexplained requests for keys or secrets.
Persistence & Privilege
always is false and the skill does not request elevated or persistent system-wide privileges. It does call for network access and subAgent usage (normal for this purpose) but does not try to modify other skills or agent configs.
Scan Findings in Context
[no_regex_findings] expected: The package is instruction-only with no code files, so the regex-based scanner had nothing to analyze. This aligns with the absence of code but leaves unverified the claimed md_to_pdf.py script referenced in SKILL.md.
What to consider before installing
This skill appears to be a genuine research/reporting template, but it claims to include a PDF-generation script that is not present. Before installing or enabling it: (1) Ask the author to supply the missing scripts/md_to_pdf.py and CSS, or point to an exact, reviewable URL for them. Do not allow the agent to autonomously download and run code from an unreviewed URL. (2) If you must proceed, review any external repository code yourself before permitting execution. (3) Be aware the skill will perform broad web searches and may collect public PII about people—confirm that’s acceptable for your use case. (4) If you want lower risk, request the skill be modified to return Markdown only (no automatic PDF generation) so you can convert to PDF on a controlled system after reviewing sources.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f5fjy3emadkz3z93978r3pn84sptc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments