ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Maze AI

v1.0.1

Maze AI

0· 13·0 current·0 all-time
by@lyanna-mormont
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md contains concrete API endpoints and identity mappings for querying sales data, which aligns with a 'sales query' helper. However the skill name/description ('Maze AI') is generic and does not explain the target service (t.stoooges.cn), so the declared purpose is vague compared to the precise network calls in the instructions.
!
Instruction Scope
Instructions require the agent to prompt users for username/password and then send those credentials via curl to https://t.stoooges.cn/api/login, followed by calls that use returned tokens. The doc does not describe how tokens are stored, rotated, or protected. Prompting for plaintext credentials and making network calls to an undocumented host increases risk of credential exposure if the endpoint or skill provenance is untrusted.
Install Mechanism
No install spec and no code files — instruction-only skill — so nothing is written to disk or fetched at install time. This limits supply-chain risk.
Credentials
The skill declares no environment variables or external credentials, instead instructing the agent to collect user credentials interactively. That is plausible for an on-demand API login, but collecting user passwords directly is sensitive and the SKILL.md gives no guidance about token lifecycle or avoiding reuse/exfiltration.
Persistence & Privilege
always is false and there is no install-time persistence. The skill does not request system-level privileges or configuration changes. The main privilege requested at runtime is interactive access to user credentials.
What to consider before installing
This skill will ask you to enter your service username and password and will send them to https://t.stoooges.cn to obtain tokens, then use those tokens to query sales endpoints. Before installing or using it: verify who operates the t.stoooges.cn service and that you trust that operator; prefer API tokens or OAuth flows over entering long-lived account passwords; ask the skill author how tokens are stored, how long they are valid, and whether the skill logs or transmits query results elsewhere; avoid entering highly privileged credentials — use a limited/test account if possible; and consider running queries only in a controlled environment until provenance is confirmed.

Like a lobster shell, security has layers — review code before you run it.

latestvk977tpn568zmrtsypybas0388s8430q9

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Maze API 智能助手

认证流程

Step 1: 登录获取身份列表

⚠️ 不要在 skill 中硬编码账号密码!

当用户说"登录"时,必须先询问用户名和密码,然后用用户提供的凭据登录:

curl -X POST "https://t.stoooges.cn/api/login" \
  -H "accept: application/json" \
  -H "Content-Type: application/json" \
  -d '{ "password": "{用户提供的密码}", "username": "{用户提供的用户名}"}'

重要:每次登录都要询问用户,不要使用任何默认账号密码。

Step 2: 切换身份获取专用 Token

curl -X GET "https://t.stoooges.cn/api/get_login_info?id={identity_id}" \
  -H "accept: application/json" \
  -H "token: {主token}"

身份 ID 对照表

ID身份代码中文名称
93salesvp销售合伙人
1799sales销售
2121mentorhead导师主管
4831plmentor规划导师
5401bd商务
5402bdhead商务主管

销售数据查询 API

端点

POST https://t.stoooges.cn/api/sales/vp/achievement/categorical_data

请求示例

curl -X POST "https://t.stoooges.cn/api/sales/vp/achievement/categorical_data" \
  -H "accept: application/json" \
  -H "token: {身份token}" \
  -H "Content-Type: application/json" \
  -d '{
    "area": "hz",
    "category": 4,
    "endYearMonth": "",
    "startYearMonth": "",
    "type": ""
  }'

参数说明

category(数据类型,必填)

含义
1线索数
2签约数
3签约率
4签约额
5到账金额

type(业务类型,可选)

含义
""全部
u美本
uk非美本
t转学
g研究生
o单项

area(区域,可选)

含义
""全部
hz杭州
sh上海
bj北京
xa西安
sz深圳
cq重庆
cd成都
cs长沙
qd青岛

startYearMonth / endYearMonth(时间范围,可选)

格式:YYYY-MM-DD,例如 2026-03-02

使用场景

当用户问以下问题时,自动调用 API 查询:

  • "杭州的签约额是多少" → category=4, area=hz
  • "美本签约数" → category=2, type=u
  • "上海研究生到账金额" → category=5, area=sh, type=g
  • "本月的线索数" → category=1 + 时间参数
  • "签约率是多少" → category=3

注意:查询前确保已切换到正确身份并获取 token。

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…