ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

English-Learning

v1.0.0

提供小学、专四、专八英语听力材料,支持获取材料列表和详细段落。

0· 95·1 current·1 all-time
by@leiwonginchaozhou-netizen
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill claims to serve English listening materials and its runtime instructions call a Supabase REST endpoint to list materials — that is coherent. However, the registry metadata indicates no required environment variables while the SKILL.md explicitly lists SUPABASE_URL and SUPABASE_ANON_KEY, which is an inconsistency between metadata and the instructions.
!
Instruction Scope
The instructions are specific and scoped to retrieving listening_materials from a Supabase REST API and presenting segments; they do not ask the agent to read arbitrary system files. Concern: the SKILL.md contains a concrete example SUPABASE_URL and what appears to be a real-looking SUPABASE_ANON_KEY (a JWT-like string). Including an example key in the skill text is risky — if that key is valid it could be abused; if it's a placeholder it should be clearly marked as such.
Install Mechanism
This is an instruction-only skill with no install spec or code files, so nothing will be written to disk by an installer. That minimizes install-time risk.
!
Credentials
Requesting SUPABASE_URL and SUPABASE_ANON_KEY is proportionate for a skill that fetches content from a Supabase project. However, the registry metadata declares no required env vars (mismatch), and the presence of an example anon key in the documentation raises the risk of accidental credential reuse or exposure. Note: Supabase anon keys are intended for public/client usage but may still allow unwanted read access depending on your RLS policies.
Persistence & Privilege
The skill does not request always:true and has no install-time persistence steps. It is user-invocable and may be invoked autonomously by the agent (platform default), which is expected for typical skills.
What to consider before installing
Before installing: 1) Confirm with the skill author (or avoid installing if author unknown) whether SUPABASE_URL and SUPABASE_ANON_KEY are actually required and update the registry metadata to list them. 2) Do not paste production or high-privilege keys into the skill — prefer a read-only or tightly-scoped key and enable Row-Level Security (RLS) on the Supabase table. 3) Treat the example SUPABASE_URL and anon key in SKILL.md as suspicious: verify whether that example key is valid; if it is, it should be revoked. 4) If you must use this skill, create a dedicated Supabase project or a scoped public key that only exposes the listening_materials view, not other data. 5) Prefer a documented homepage/source and contact for the owner; absence of a source makes auditing harder. 6) If you need higher assurance, request the skill author to remove embedded keys, declare required env vars in registry metadata, and publish a source or homepage so the implementation can be reviewed.

Like a lobster shell, security has layers — review code before you run it.

latestvk975a3y32cne7vb9m053h9e3t583c9n4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Environment variables
SUPABASE_URLrequired
SUPABASE_ANON_KEYrequired

Comments