Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sbti Fun Test
v3.0.1SBTI personality test V3 - 梗王版!28种接地气的人格类型,包括自我攻击者、吗喽、狗屎人、握草人等。每种类型都有独特的ASCII艺术宠物。30道题,4个选项,测试结果 hilariously accurate。
⭐ 2· 81·1 current·1 all-time
bylaojun@laojun509
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (SBTI personality test) aligns with the included Python scripts and ASCII-art assets. No network endpoints, credentials, or unrelated binaries are requested. Multiple versioned/backup script files are present (v1/v2/v3 and backups), which is plausible for an evolving toy project but increases audit surface.
Instruction Scope
SKILL.md runtime instructions are limited and coherent (run python3 scripts/sbti_test.py or import the provided class). However the SKILL.md was flagged for unicode-control-chars (prompt-injection pattern). That suggests hidden control/unprintable characters that could alter how an agent or parser reads instructions. Also some bundled scripts (truncated in the manifest) show coding mistakes/unfinished sections (e.g., a likely typo 'we' instead of 'weight' and truncated content), which could cause runtime errors or unpredictable behavior.
Install Mechanism
No install spec is provided (instruction-only with bundled scripts). This minimizes supply-chain risk from remote downloads. Files are present in the skill bundle; nothing is fetched from external URLs during install.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate for a local entertainment test and consistent with the stated purpose.
Persistence & Privilege
Default privileges apply: always:false and model invocation allowed (normal). The skill does not request permanent presence or elevated privileges. Note: autonomous invocation is permitted by default — since other concerns exist (prompt-injection flag), you may want to restrict autonomous use until you inspect the files.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md was flagged for unicode control / invisible characters. For a local personality test this is unexpected — such characters are a known technique to influence prompt parsers or hide content. Inspect the raw file for zero-width or control characters before trusting automated execution.
What to consider before installing
This skill appears to implement the advertised entertainment personality test and does not ask for secrets or network access, but take these precautions before installing or enabling autonomous runs: 1) Inspect SKILL.md in a raw-text editor (show invisibles) or run a utility to detect/remove unicode control / zero-width characters. 2) Search the repository for network/socket usage (requests, urllib, socket, subprocess that calls curl) to confirm there are no hidden exfiltration paths. 3) Run the script in an isolated environment (sandbox or disposable VM/container) to verify behavior and to catch runtime errors (the bundled code shows truncated/typoed sections that may crash). 4) If you allow autonomous invocation, consider disabling it until you confirm the SKILL.md has no hidden control characters and the code is safe. If you want, I can (a) show commands to detect/remove invisible characters, (b) scan the scripts for network or subprocess calls, or (c) run a static lint checklist to highlight obvious bugs.Like a lobster shell, security has layers — review code before you run it.
funvk9794k8f0bmrwx6eh4rdcz12zs84gn6flatestvk97etv7j0dm8z9ggnryrg56cah84j8tymbtivk9794k8f0bmrwx6eh4rdcz12zs84gn6fpersonalityvk9794k8f0bmrwx6eh4rdcz12zs84gn6fsbtivk9794k8f0bmrwx6eh4rdcz12zs84gn6ftestvk9794k8f0bmrwx6eh4rdcz12zs84gn6f
License
MIT-0
Free to use, modify, and redistribute. No attribution required.