ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

档案文件

v1.0.0

定时获取档案行业最新情报、政策法规、技术动态和行业资讯。当用户需要获取档案行业新闻、政策更新、技术趋势或设置定时情报收集任务时使用此技能。

0· 42·0 current·0 all-time
byL@lijie012
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The SKILL.md and examples describe automated web searches and scheduled collection from official sites and academic databases. The included script (scripts/collect-intelligence.js) does not perform any network requests or scraping — it only generates a placeholder markdown report and writes it to disk. This is a substantive mismatch: a user expecting automatic data collection would not get that from the current code.
!
Instruction Scope
Runtime instructions tell the agent to 'use network search tools', visit official sites, and configure system schedulers (cron/Task Scheduler). The script itself does not implement these actions. The SKILL.md gives broad, open-ended discretion to 'use network search tools' which could cause an agent to browse, fetch, or post data unless constrained; combined with the incomplete script, this is vague and inconsistent.
Install Mechanism
There is no install spec and no external downloads — the skill is instruction-plus-local-js only. That minimizes install-time risk; nothing is written to disk by an installer. The only runtime requirement is Node.js to run the provided script (not declared).
Credentials
The skill declares no environment variables, no credentials, and no config paths. The code similarly does not access secrets or external tokens. That is proportionate to what the included script actually does (generate local files).
Persistence & Privilege
always is false and the skill does not request permanent agent-wide privileges. The script writes reports to a configurable output_dir, which is expected behavior for a reporting tool and does not modify other skills or global agent configuration.
What to consider before installing
This skill appears incomplete and inconsistent with its description. Before installing or enabling it: 1) Don’t run it on sensitive systems — run in a sandbox or non-privileged account. 2) Review and fix the code: scripts/collect-intelligence.js contains a JavaScript syntax error (an extra ")" in the News source URL) and the script only creates a local placeholder report — it does not fetch web pages or query databases. 3) If you expect automated web scraping, confirm (or implement) explicit, auditable network logic and where results are sent; make sure scraping follows sites' terms/robots.txt and does not exfiltrate data. 4) Ensure Node.js is installed and check output_dir to avoid overwriting important files. 5) Be cautious setting system schedulers that run third-party scripts; inspect and test the script manually before adding to cron/Task Scheduler. 6) Because the skill source is unknown and there's no homepage, consider obtaining the author’s identity or a trusted alternative implementation before trusting it for production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fp8zdqb40vrssgyt2j0fjz984d1dg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments