Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
友行
v1.0.0查询友行青年社群的活动信息。当用户询问友行的活动、近期活动、活动安排、某个活动详情时使用。支持列出所有活动和根据活动ID获取详情。默认输出JSON,用户要求时可输出Markdown格式。
⭐ 0· 37·0 current·0 all-time
byBai Loong@longbai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to query 友行 club activities and the included Node scripts call api.cumen.fun endpoints with clubId/campaignId, which aligns with the stated purpose. However, the SKILL.md executes node via inline 'node -e' snippets while the skill metadata lists no required binaries — that is an incoherence (the agent environment must provide Node.js for the instructions to run). Also SKILL.md declares API_BASE but the example code uses explicit endpoint URLs, a minor mismatch.
Instruction Scope
Instructions only perform HTTPS POSTs to api.cumen.fun to list campaigns or get campaign details and then map/format the response to JSON or Markdown. They do not read local files, environment variables, or other system state. Note: the responses include potentially sensitive fields such as exact address and latitude/longitude — this is expected for an activity/location lookup but users should be aware location data may be returned.
Install Mechanism
No install spec or external downloads are present; this is an instruction-only skill (no code files to install), which minimizes install-time risk.
Credentials
The manifest requests no environment variables, credentials, or config paths. The SKILL.md hardcodes CLUB_ID and API URLs inside the instructions rather than requesting secrets, so no unexpected credential access is requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence or modify other skills. Autonomous invocation is allowed (platform default) but not combined with other red flags here.
What to consider before installing
This skill appears to do what it says (query activities from api.cumen.fun) but note two practical cautions: (1) The runtime instructions require Node.js (they run 'node -e'), yet the manifest does not declare Node as a required binary — ensure your agent environment actually has Node available or the snippets won’t run. (2) The skill calls an external API (api.cumen.fun) and may return precise addresses and coordinates; only use it if you trust that endpoint. The skill's source and homepage are unknown, so if you need stronger assurance, ask the publisher for the source repo or a trusted homepage, or run the requests from a sandboxed environment and inspect responses before exposing them to users.Like a lobster shell, security has layers — review code before you run it.
latestvk97d1ny752fww3g58ehnrprq2x84ps4m
License
MIT-0
Free to use, modify, and redistribute. No attribution required.