ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

demo-lin-test

v1.0.8

收费技能示例模板 - 带授权验证,演示如何在 ClawHub 发布付费技能

0· 141·0 current·0 all-time
by@lintqiu·duplicate of @lintqiu/lin-skill-demo (1.0.1)
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The registry description advertises a 'paid skill with authorization' (演示带授权验证), but the SKILL.md simply defines a document-summary routine and the skill declares no required environment variables, credentials, binaries, or install steps. This mismatch could be benign (billing/auth handled by the platform) but is an unexplained inconsistency.
Instruction Scope
SKILL.md limits behavior to: read provided content and return a Markdown summary with specific sections (Summary, Key Points, Risks). It does not instruct reading other files, environment variables, or contacting external endpoints.
Install Mechanism
There is no install spec and no code files. As an instruction-only skill, it writes nothing to disk and has minimal runtime footprint.
Credentials
The skill declares no required environment variables or credentials, which is consistent with the instructions. However, the top-level description's mention of authorization is not reflected in the declared env/credential requirements — either the platform provides billing/auth externally (possible) or the metadata is inaccurate.
Persistence & Privilege
The skill does not request 'always:true' and uses default invocation settings. It does not ask to modify other skills or system settings.
What to consider before installing
This skill appears to be a simple, instruction-only document summarizer and does not request credentials or install anything. The main inconsistency is the metadata claiming a paid/auth demo while the skill itself has no auth behavior — that may be harmless if platform-level billing is intended, but could also indicate sloppy or misleading metadata. Before installing: (1) verify the publisher identity (owner ID) and prefer skills with a homepage or repository; (2) ask the publisher why the description mentions authorization if the skill needs no credentials; (3) avoid sending highly sensitive documents to a skill with unclear provenance; (4) monitor the skill's behavior when first used and revoke access if anything unexpected occurs. Additional information that would raise confidence: a homepage/repository, explicit explanation of billing/auth flow, or code/assets showing how authorization is handled.

Like a lobster shell, security has layers — review code before you run it.

latestvk972xck4se8vw2wx9e230ab9n9833ajm

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments