谋道
AdvisoryAudited by VirusTotal on Mar 30, 2026.
Overview
Type: OpenClaw Skill Name: moudao Version: 1.1.0 The 'moudao' skill bundle is a legitimate AI-driven planning tool based on the 'Dao, Fa, Shu, Qi' framework. The core logic in `scripts/moudao.js` is a clean Node.js implementation that interacts with the DeepSeek LLM API to perform market research and generate structured execution plans. It uses standard environment variables for API configuration, lacks external dependencies, and contains no evidence of data exfiltration, malicious command execution, or prompt injection. The pricing mention in `SKILL.md` is purely informational and does not involve any functional payment exploitation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your LLM provider account and billing quota may be used when running this skill.
The skill requires a provider API key even though the registry metadata lists no primary credential or required environment variables. This is purpose-aligned for an LLM planning tool, but users should understand the credential use.
DeepSeek API Key(或其他兼容OpenAI格式的API)
Use a scoped, revocable API key, monitor provider usage, and only set the key in environments where you intend to run this tool.
Planning goals, profile details, constraints, and diagnosis context may be transmitted to the configured LLM provider.
The script sends the user’s request and context to an external chat-completions API. This is expected for the stated LLM functionality, but it is a data boundary users should be aware of.
messages: [ { role: 'system', content: systemPrompt }, { role: 'user', content: userMessage } ]Avoid entering secrets or highly sensitive personal/business information unless you are comfortable sharing it with the configured provider.
Business, career, health, or finance plans may include plausible but unverified estimates.
The internal prompt allows persuasive estimated data while the skill presents a “前期调研” research mode. This is not malicious, but users should not treat outputs as verified market research.
数据和案例要有说服力,可以用估算数据
Treat generated plans as a starting point and verify important market, legal, financial, or health claims with reliable sources or professionals.
The skill may require Node.js and manual API-key setup despite metadata suggesting no requirements.
The registry/install metadata under-describes the included runnable Node.js script. The script and package are visible and no suspicious dependencies are shown, so this is an operational metadata note rather than a security concern.
No install spec — this is an instruction-only skill; Code file presence: scripts/moudao.js
Review README.md and package.json before use, and ensure Node.js and the intended API key are configured deliberately.