ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Huangli Toolkit

v1.1.0

Unified Huangli skill for common workflows: single-date query, date-range batch query, and keyword search over a date range. Use this skill when users ask: -...

0· 0·0 current·0 all-time
by@leocdchina
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill's stated purpose (huangli date queries, batch/search) matches the included code and endpoints. However, the registry metadata declares no required environment variables or primary credential, while both SKILL.md and toolkit.py require a HUANGLI_TOKEN (Bearer) and optionally HUANGLI_BASE. That discrepancy between declared requirements and actual runtime needs is a coherence problem.
Instruction Scope
SKILL.md instructs the agent/user to set HUANGLI_TOKEN and HUANGLI_BASE and to call the included Python script. The runtime instructions only perform HTTP GET/POST to the stated API, process returned JSON locally, and print results. The instructions do not request other system files, broad data collection, or unexpected external endpoints.
Install Mechanism
There is no install spec (instruction-only), which is low risk. However, the skill bundle includes two code files (toolkit.py, toolkit.sh). No remote downloads, package installs, or extract operations are performed. The presence of code files means the agent/user will execute bundled code; review of that code shows no obfuscated behaviour or hidden endpoints beyond the documented API.
!
Credentials
The skill requires a single bearer token (HUANGLI_TOKEN) to operate; that credential is logically required for the API functionality and is proportionate. The problem is the registry did not declare this required credential (metadata lists none). The missing declaration reduces transparency and could cause users to unknowingly provide a token to an unverified domain.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent system privileges. It does not modify other skills or system-wide settings. Autonomous invocation is allowed by default (disable-model-invocation is false), which is normal — this is not combined with other broad privileges.
What to consider before installing
This skill's behavior (calling https://api.nongli.skill.4glz.com with a Bearer token) is coherent with its purpose, but the registry metadata fails to declare the required HUANGLI_TOKEN. Before installing: 1) Verify the operator of nongli.skill.4glz.com and that you trust their service and privacy policy. 2) Only use a token with minimal scope (or a disposable/test token) and confirm how quota and token management work on their dashboard. 3) Inspect the included toolkit.py (you already did) — it only calls the documented endpoints and prints JSON, but executing code from an unknown publisher has risk. 4) Prefer running the script in a sandbox or isolated environment if you must test. 5) Ask the publisher to correct the registry metadata to list HUANGLI_TOKEN and any network requirements so the skill's permissions are transparent.

Like a lobster shell, security has layers — review code before you run it.

calendarvk978c747m1wteka1y28p5t8z0s84ht3jhuanglivk978c747m1wteka1y28p5t8z0s84ht3jlatestvk978c747m1wteka1y28p5t8z0s84ht3jtoolkitvk978c747m1wteka1y28p5t8z0s84ht3j

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments