Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Lee-CLI Skill
v1.0.0个人AI助手CLI工具集 - 提供天气冷笑话、新闻日报、工作总结、AI学习资源推荐和智能待办清单等功能。当用户需要查看天气笑话、今日新闻、生成工作总结、获取学习资源或管理待办事项时使用此skill。
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (lee-cli CLI wrapper providing jokes, news, summaries, learning resources, todos) matches the instructions to run a local lee-cli binary. However the SKILL.md explicitly requires ANTHROPIC_API_KEY and optional lark-cli/calendar integration, whereas the registry metadata lists no required env vars or credentials — an inconsistency that should be resolved. The SKILL.md also references host-local project paths (/Users/...) and GitHub repo URLs (developer leftovers), which are not harmful but indicate developer-local content left in docs.
Instruction Scope
Runtime instructions direct the agent to execute local commands (lee-cli ...), which is expected. But they also instruct checking/echoing the ANTHROPIC_API_KEY (e.g., 'echo $ANTHROPIC_API_KEY') in troubleshooting — this explicitly exposes a secret to whatever process runs the command. The document references reading Claude Code activity logs (work-summary) and using calendar events (lark-cli) — both legitimate for the feature but they expand data access beyond simple news/weather. The SKILL.md contains unicode control characters (prompt-injection signal) that could attempt to manipulate model behavior during evaluation.
Install Mechanism
There is no install spec (instruction-only), which is lowest-risk. The only code file is a publication helper script (publish-to-clawhub.sh) that packages files and creates a ZIP on the user's Desktop; it doesn't download or execute remote code. That script will write artifacts if run, but it is not part of automated installation and is not itself an installer.
Credentials
Registry metadata declares no required environment variables, but the SKILL.md and README repeatedly state the tool needs ANTHROPIC_API_KEY. Requesting a user-provided Anthropic API key is reasonable for a tool that uses Claude, but the mismatch between declared requirements and instructions is incoherent. Troubleshooting advice telling the agent to run 'echo $ANTHROPIC_API_KEY' or 'env | grep ANTHROPIC' is a red flag because it encourages revealing a secret into command output. The skill also requires read-only access to Claude Code activity logs and optionally calendar access — these are plausible for summaries/todos but grant access to potentially sensitive user data and should be explicitly declared in metadata and permission UI.
Persistence & Privilege
The skill does not request always:true or background persistence and remains user-invocable; it does not modify other skills. The publishing script produces files but does not create persistent services or backdoors. Autonomous invocation (disable-model-invocation=false) is the platform default and not itself flagged here.
Scan Findings in Context
[unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md. This is not expected for straightforward documentation and can be used to attempt prompt injection/manipulation of model instructions. Treat as suspicious and inspect the file bytes for hidden characters.
What to consider before installing
This skill appears to be a coherent CLI wrapper, but there are a few inconsistencies and risky instructions you should consider before installing:
1) Metadata mismatch: The registry metadata lists no required environment variables, but the docs require ANTHROPIC_API_KEY (and optional lark-cli/calendar). Confirm with the author whether an API key is required and update metadata/permission prompts accordingly.
2) Do NOT run troubleshooting commands that echo or print your API key (e.g., 'echo $ANTHROPIC_API_KEY' or 'env | grep ANTHROPIC'). Those commands reveal secrets to the agent/process output. If you need to verify the key, check the presence of the variable without printing it (or inspect config files locally).
3) Inspect the lee-cli binary/source before use (the SKILL.md refers to a separate Node.js CLI). Verify the CLI's source repo (github link in docs) and audit network calls it makes to ensure it doesn't send data to unexpected endpoints.
4) Verify how 'summary' accesses Claude Code activity logs — ensure access is truly read-only and scope-limited. If the skill will read calendar entries via lark-cli, confirm what data will be accessed and whether you consent.
5) The SKILL.md contains hidden unicode control characters (prompt-injection signal). Ask the author to remove those and provide a clean SKILL.md or manually inspect and sanitize the file before enabling.
6) If you are unsure, run the lee-cli tool in an isolated environment (VM or dedicated account) and do not provide real API keys until you confirm behavior.
If the author can clarify and fix the metadata (declare required env vars and explicit permissions), remove hidden control characters, and remove troubleshooting steps that print secrets, the inconsistencies would be resolved and the skill would be less suspicious.Like a lobster shell, security has layers — review code before you run it.
latestvk979rz382wq81yawa8ap2m90jd84hsmy
License
MIT-0
Free to use, modify, and redistribute. No attribution required.