Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
zadig
v4.0.2⚠️ 需要 ZADIG_API_URL + ZADIG_API_KEY | Zadig DevOps 平台 API 客户端
⭐ 2· 564·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description claim a Zadig API client and the package.json, SKILL.md, and index.js consistently implement a Zadig OpenAPI client. Minor metadata inconsistency: package.json / README list version 4.0.1 while registry metadata shows 4.0.2 — not a security problem but worth noting.
Instruction Scope
SKILL.md instructs the agent to read a .env for ZADIG_API_URL and ZADIG_API_KEY and to call the Zadig server; index.js only reads process.env and makes HTTP(S) requests to the API_BASE derived from ZADIG_API_URL. There are no instructions to read unrelated files or exfiltrate data to other endpoints.
Install Mechanism
No install spec is provided (instruction-only runtime with included Node.js source). No downloads from external URLs or archive extraction. The skill includes a local index.js implementation rather than pulling arbitrary code at runtime.
Credentials
Declared required environment variables are ZADIG_API_URL and ZADIG_API_KEY (plus optional defaults). These are exactly the credentials needed to operate the client; no unrelated secrets or extra credentials are requested.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform-wide privileges. It declares read:env and network:https which are appropriate for its operation and does not modify other skills or global configuration.
Assessment
This skill appears to be a straightforward Zadig API client. Before installing: 1) Confirm ZADIG_API_URL points to your intended Zadig server (not a public or unknown host). 2) Use a least-privilege API token (scoped, short-lived if possible) and avoid committing the token to VCS. 3) Review the included index.js (it makes HTTPS calls to whatever URL you provide and sets Authorization: Bearer <token>) so ensure no unexpected hardcoded endpoints exist. 4) Note the minor version mismatch in metadata (package/README vs registry) and prefer obtaining the skill from a trusted source or official repository if possible. If you need the agent to call other services, check how ZADIG_API_URL will be set and who can modify it.Like a lobster shell, security has layers — review code before you run it.
latestvk976bcke5cyx8rcvbhzbrn66kh826s1n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.