ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kim Msg Account Skill

v1.0.2

Kim 消息号配置助手 - 快手(Kuaishou/Kwai)IM 消息渠道集成工具。帮助用户安装和配置 Kim Channel 插件,实现通过 Kim(快手 IM)与 OpenClaw 进行消息交互。支持自动安装插件、交互式配置指引、以及可选的自动配置服务。

0· 340·0 current·1 all-time
by@leegodamn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the behavior: the skill checks/installs an OpenClaw plugin, guides the user to create a Kim app, and sets OpenClaw channel config. The only required binary is openclaw, which is appropriate. The scripts reference an internal npm registry and the @ks-openclaw/kim package which is consistent with installing the Kim plugin.
Instruction Scope
SKILL.md and scripts limit actions to plugin installation, interactive collection of appKey/secret/verificationToken/webhookPath, writing those into OpenClaw config, simple network checks (curl) to user-provided webhook URLs, and restarting the OpenClaw gateway. The scripts prompt locally for secrets and do not contain code that exfiltrates data to unexpected remote endpoints.
Install Mechanism
There is no external install spec (instruction-only plus local scripts). The scripts call 'openclaw plugins install @ks-openclaw/kim' and set npm_config_registry to an internal corporate registry (https://npm.corp.kuaishou.com). This is expected for a corporate plugin but means the package will be fetched from an internal registry rather than a public, third-party release host—verify you trust that registry and the @ks-openclaw/kim package contents before installing.
Credentials
The skill does not declare or require unrelated environment variables or external credentials. It legitimately requests the Kim app credentials (appKey, secretKey, verificationToken) from the user to configure OpenClaw. Note: the scripts write these secrets into OpenClaw config; confirm how OpenClaw stores/encrypts those values (README already recommends Kconf/encryption).
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It will (optionally) restart the local OpenClaw gateway as part of configuration—this is expected behavior for applying channel config and not an unexplained privilege.
Assessment
This skill appears to do exactly what it says: guide installation/configuration of a Kim channel for OpenClaw. Before using it, verify the following: (1) you trust the internal npm registry (https://npm.corp.kuaishou.com) and the plugin package @ks-openclaw/kim; (2) understand where OpenClaw stores credentials and whether they are encrypted (use Kconf or equivalent per org policy); (3) do not paste secrets into public chats—run the included scripts locally so secrets are entered on your machine; (4) review the plugin code/package (if possible) before installing; and (5) be aware the scripts may restart your OpenClaw gateway—schedule downtime if needed.

Like a lobster shell, security has layers — review code before you run it.

imvk97agw7z1c6hac0kqhk43f3v95825h06kimvk97agw7z1c6hac0kqhk43f3v95825h06kuaishouvk97agw7z1c6hac0kqhk43f3v95825h06kwaivk97agw7z1c6hac0kqhk43f3v95825h06latestvk97bgwnbsqgae3f50f38baff8h8257v6messagingvk97agw7z1c6hac0kqhk43f3v95825h06openclawvk97agw7z1c6hac0kqhk43f3v95825h06

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

💬 Clawdis
Binsopenclaw

Comments