ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Platform Script Skills

v1.0.1

提供自研业务平台的脚本模板和编码规范。当用户需要编写 Groovy 后端脚本、JavaScript 表单脚本、SQL 查询、附件处理等代码时使用此技能。

0· 72·0 current·0 all-time
by@lan2898408767
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description promise Groovy/JS/SQL/attachment templates and coding rules; the SKILL.md and references directory contain exactly those templates and platform-specific API calls (DataModelUtils, ScriptUtils, AccountUtils). No unrelated credentials, binaries, or installs are requested.
Instruction Scope
Instructions are limited to reading the bundled references and generating platform scripts. However, the templates include examples that read account data, print passwords, reset passwords to a constant value, delete multiple records, and build SQL via string concatenation. Those examples are within the scope of an admin-focused script library but are sensitive and can cause destructive or privacy-impacting changes if copied verbatim or used without review.
Install Mechanism
Instruction-only skill with no install spec and no code executed on install; this minimizes installation risk. All files are bundled with the skill (SKILL.md and references).
Credentials
The skill requests no environment variables, no credentials, and no config paths. The SKILL.md references platform runtime functions (e.g., args$.getTokenFunc) which are expected for platform scripts and are not external secrets requested by the skill itself.
Persistence & Privilege
always is false and the skill has no install actions that modify agent configuration or other skills. It does not request persistent privileges beyond standard skill inclusion.
Assessment
This skill appears to be what it says: a set of platform-specific script templates and coding rules. Before using it in production, do the following: 1) Audit the bundled templates — do NOT copy-and-paste examples that print or modify account passwords, reset credentials to hardcoded values, or perform broad deletes. 2) Review SQL templates for unsafe string concatenation (risk of SQL injection) and prefer parameterized queries. 3) Test generated scripts in a sandbox/staging environment with limited privileges. 4) Require manual code review and approval before deploying any generated script that touches user accounts, credentials, or deletion/update operations. 5) Verify the skill source/trustworthiness if you need long-term use; if you cannot verify the origin, restrict who can invoke it. If the skill later requests external endpoints, environment variables, or an install script that downloads code, re-evaluate as those would raise stronger concerns.

Like a lobster shell, security has layers — review code before you run it.

groovyvk97awvqjp3ebjsk02vg1rs90ed83s5t5javascriptvk97awvqjp3ebjsk02vg1rs90ed83s5t5latestvk9748h7hz3cj6ernm9hxaak7cs83r0qvplatformvk97awvqjp3ebjsk02vg1rs90ed83s5t5scriptvk97awvqjp3ebjsk02vg1rs90ed83s5t5sqlvk97awvqjp3ebjsk02vg1rs90ed83s5t5templatevk97awvqjp3ebjsk02vg1rs90ed83s5t5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📝 Clawdis

Comments