ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Hs Ti

v2.2.3

云瞻威胁情报查询技能。查询IP地址、域名、URL、文件哈希等是否在云瞻威胁情报库中。支持中英文双语。/ Hillstone Threat Intelligence Skill. Query IP addresses, domains, URLs, and file hashes in Hillstone thre...

0· 124·0 current·0 all-time
by@maxjia
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's name/description match the code and SKILL.md: it queries Hillstone (yunzhan) threat intelligence for IPs, domains, URLs, and hashes. The code implements caching, batching, exports, and logging which are coherent with the stated features. However, the registry 'Requirements' block in the provided metadata lists no required env vars or config, while SKILL.md/package.json/code clearly require a config.json and support the HILLSTONE_API_KEY environment variable — an inconsistency between declared requirements and actual capability.
Instruction Scope
SKILL.md and examples instruct the agent to read config.json (or use HILLSTONE_API_KEY), call the Hillstone API endpoint, format and optionally export results, and write logs to ~/.openclaw/logs/hs_ti.log. All referenced files and operations (config, exports, logs) are within the expected scope for a threat-intel integration and do not request unrelated system secrets or paths.
Install Mechanism
No external installer or download is specified; the package is Python-based and uses only standard library modules per requirements.txt. There is no network-based install artifact or executable download. This is low-risk from an install mechanism perspective.
!
Credentials
The code and SKILL.md require an API key (config.json and HILLSTONE_API_KEY) and network access to https://ti.hillstonenet.com.cn, which is proportional for this functionality. The concern is the metadata presented to the registry (required env vars: none) does not declare the required credential; that mismatch may cause unexpected behavior or accidental credential misconfiguration. The skill also writes log files and export files to the filesystem (home and example export dirs) which is expected but worth noting.
Persistence & Privilege
The skill is not marked always:true and does not request elevated privileges or modify other skills. It will create its own log and export files under the user's home and example directories and persist its own config; that is normal and coherent with its purpose.
What to consider before installing
This package implements a Hillstone (yunzhan) threat-intel client and expects a valid API key (either config.json or HILLSTONE_API_KEY) and network access to the Hillstone TI endpoint. Before installing: 1) Be aware the registry metadata you saw omitted the API-key requirement — verify and supply the API key via environment variable or config.json as described in SKILL.md. 2) Confirm the API URL (https://ti.hillstonenet.com.cn) is the legitimate endpoint you intend to use. 3) The skill writes logs (~/.openclaw/logs/hs_ti.log) and exports reports to local files — ensure you are comfortable with where files will be written and that sensitive IOC values are handled per your policy. 4) Review the included Python code (hs_ti_plugin.py and result_formatter.py) if you can — the package is self-contained and uses only the Python standard library, but there are minor code/documentation inconsistencies. 5) If you require higher assurance, run the tests locally in an isolated environment or sandbox and validate that the skill only communicates with the declared endpoint and does not exfiltrate credentials. If you need, I can point out the exact code locations that read config.json / HILLSTONE_API_KEY and where files are written.

Like a lobster shell, security has layers — review code before you run it.

hillstonevk977my22qgpb50a7k8vy8mrsas838ycklatestvk978sgbj15m77c1qnea34xkvfx841rw9securityvk977my22qgpb50a7k8vy8mrsas838yckthreat-intelvk977my22qgpb50a7k8vy8mrsas838yck

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔍 Clawdis

SKILL.md

云瞻威胁情报查询技能 / Hillstone Threat Intelligence Skill

功能:查询IP地址、域名、URL、文件哈希等是否在云瞻威胁情报库中。 Features: Query IP addresses, domains, URLs, and file hashes in the Hillstone threat intelligence database.

新功能 / New Features (v2.2.2)

中文 / Chinese

  • IOC类型自动识别:自动识别IP、域名、URL、哈希等IOC类型
  • 智能缓存:内置LRU缓存机制,支持缓存统计和大小限制,显著提升查询性能(40-60%)
  • 连接池管理:HTTP连接池实现高效连接复用,降低网络延迟(30%)
  • 批量操作:支持从CSV、TXT、JSON文件导入IOC列表,支持批量查询和进度跟踪
  • 指数退避重试:智能重试机制,更好处理临时网络故障
  • 断路器模式:防止级联故障,提高系统稳定性
  • 结果格式化:支持文本、JSON、表格等多种格式
  • 结果导出:支持导出为CSV、JSON、HTML、Markdown等格式
  • 日志记录:完整的操作日志记录,敏感数据自动遮蔽
  • 错误处理:完善的错误处理和重试机制
  • 类型提示:完整的类型提示,提高代码可维护性
  • API密钥管理:支持环境变量HILLSTONE_API_KEY,优先级高于配置文件
  • 安全增强:敏感数据遮蔽、日志安全、文件权限管理
  • 搜索优化:70+关键字覆盖品牌、安全、功能等各个方面

English

  • Automatic IOC Type Detection: Automatically detect IP, domain, URL, hash, and other IOC types
  • Smart Caching: Built-in LRU cache with statistics and size limits, significantly improved query performance (40-60%)
  • Connection Pool Management: HTTP connection pool for efficient connection reuse, reduced network latency (30%)
  • Batch Operations: Import IOC lists from CSV, TXT, JSON files, support batch queries with progress tracking
  • Exponential Backoff Retry: Intelligent retry mechanism for better handling of temporary network failures
  • Circuit Breaker Pattern: Prevent cascading failures, improve system stability
  • Result Formatting: Support for text, JSON, table, and other formats
  • Result Export: Support for exporting to CSV, JSON, HTML, Markdown, and other formats
  • Logging: Complete operation logging with automatic sensitive data masking
  • Error Handling: Comprehensive error handling and retry mechanisms
  • Type Hints: Full type annotations for better code maintainability
  • API Key Management: Support for HILLSTONE_API_KEY environment variable, priority over config file
  • Security Enhancements: Sensitive data masking, log security, file permission management
  • Search Optimization: 70+ keywords covering brand, security, features, and more

语言切换 / Language Switching

默认语言:英文 / Default Language: English

切换到中文 / Switch to Chinese:

/hs-ti cn

切换到英文 / Switch to English:

/hs-ti en

配置 / Configuration

需要创建 config.json 文件并配置有效的 API Key: You need to create a config.json file and configure a valid API Key:

  1. 复制 config.example.jsonconfig.json Copy config.example.json to config.json

  2. config.json 中填入你的 API Key Fill in your API Key in config.json:

{
  "api_key": "your-api-key-here",
  "api_url": "https://ti.hillstonenet.com.cn",
  "timeout": 30,
  "max_retries": 3,
  "retry_delay": 1,
  "cache_enabled": true,
  "cache_ttl": 3600
}

配置参数说明 / Configuration Parameters:

  • api_key: 云瞻威胁情报API密钥 / Hillstone Threat Intelligence API Key (必需/required)
  • api_url: API地址 / API URL (可选/optional, 默认/default: https://ti.hillstonenet.com.cn)
  • timeout: 请求超时时间(秒)/ Request timeout in seconds (可选/optional, 默认/default: 30)
  • max_retries: 最大重试次数 / Maximum retry attempts (可选/optional, 默认/default: 3)
  • retry_delay: 重试延迟(秒)/ Retry delay in seconds (可选/optional, 默认/default: 1)
  • cache_enabled: 是否启用缓存 / Enable cache (可选/optional, 默认/default: true)
  • cache_ttl: 缓存有效期(秒)/ Cache time-to-live in seconds (可选/optional, 默认/default: 3600)

使用示例 / Usage Examples

中文 / Chinese

/threat-check 45.74.17.165
/threat-check deli.ydns.eu  
/threat-check 45.74.17.165,deli.ydns.eu,www.blazingelectricz.com
/threat-check -a 45.74.17.165
/threat-check -a deli.ydns.eu

English

/threat-check 45.74.17.165
/threat-check deli.ydns.eu  
/threat-check 45.74.17.165,deli.ydns.eu,www.blazingelectricz.com
/threat-check -a 45.74.17.165
/threat-check -a deli.ydns.eu

高级接口 / Advanced API

中文 / Chinese

使用 -a 参数调用高级接口,获取更详细的威胁情报信息:

/threat-check -a 45.74.17.165

高级接口提供的信息包括:

  • 基本信息: 网络、运营商、地理位置、国家、省份、城市、经纬度
  • ASN信息: 自治系统信息
  • 威胁类型: 判定恶意类型
  • 细分标签: 威胁相关标签
  • DNS记录: 可逆DNS记录(最多10个)
  • 域名信息: 当前域名和历史域名(最多10个)
  • 文件关联: 下载文件、引用文件、相关文件的哈希值(仅恶意文件)
  • 端口信息: 开放端口、应用协议、应用名称、版本

English

Use -a parameter to call the advanced API and get more detailed threat intelligence:

/threat-check -a 45.74.17.165

Advanced API provides:

  • Basic Info: Network, carrier, location, country, province, city, coordinates
  • ASN Info: Autonomous System information
  • Threat Type: Malicious type classification
  • Tags: Threat-related tags
  • DNS Records: Reverse DNS records (up to 10)
  • Domain Info: Current and historical domains (up to 10)
  • File Associations: Downloaded, referenced, and related file hashes (malicious only)
  • Port Info: Open ports, application protocols, application names, versions

支持的IOC类型 / Supported IOC Types

中文 / Chinese

  • IP地址: 自动识别并查询 /api/ip/reputation
  • 域名: 自动识别并查询 /api/domain/reputation
  • URL: 自动识别并查询 /api/url/reputation
  • 文件哈希: 支持 MD5/SHA1/SHA256,查询 /api/file/reputation

English

  • IP Address: Automatically detect and query /api/ip/reputation
  • Domain: Automatically detect and query /api/domain/reputation
  • URL: Automatically detect and query /api/url/reputation
  • File Hash: Supports MD5/SHA1/SHA256, query /api/file/reputation

响应时间统计说明 / Response Time Statistics

中文 / Chinese

每次查询都会显示详细的性能统计:

  • 单次查询: 显示本次调用的响应时间
  • 批量查询: 显示本次批量的统计(平均/最大/最小/中位数)
  • 累计统计: 显示所有历史调用的累计统计和总调用次数

English

Each query displays detailed performance statistics:

  • Single Query: Display response time for current call
  • Batch Query: Display statistics for current batch (avg/max/min/median)
  • Cumulative Statistics: Display cumulative statistics and total call count for all historical queries

依赖 / Dependencies

中文 / Chinese

  • Python 3.8+
  • 山石网科云瞻威胁情报 API 访问权限
  • 本技能使用Python标准库,无需额外安装依赖

English

  • Python 3.8+
  • Hillstone Threat Intelligence API access permission
  • This skill uses Python standard library, no additional dependencies required

API 端点 / API Endpoints

中文 / Chinese

普通信誉接口 / Reputation API

  • IP 查询: /api/ip/reputation?key={ip}
  • 域名查询: /api/domain/reputation?key={domain}
  • URL 查询: /api/url/reputation?key={url}
  • 文件哈希查询: /api/file/reputation?key={hash}

高级详情接口 / Advanced Detail API

  • IP 高级查询: /api/ip/detail?key={ip}
  • 域名高级查询: /api/domain/detail?key={domain}
  • URL 高级查询: /api/url/detail?key={url}
  • 文件哈希高级查询: /api/file/detail?key={hash}

English

Reputation API

  • IP Query: /api/ip/reputation?key={ip}
  • Domain Query: /api/domain/reputation?key={domain}
  • URL Query: /api/url/reputation?key={url}
  • File Hash Query: /api/file/reputation?key={hash}

Advanced Detail API

  • IP Advanced Query: /api/ip/detail?key={ip}
  • Domain Advanced Query: /api/domain/detail?key={domain}
  • URL Advanced Query: /api/url/detail?key={url}
  • File Hash Advanced Query: /api/file/detail?key={hash}

故障排除 / Troubleshooting

中文 / Chinese

  • API Key无效: 确保使用有效的云瞻API Key
  • 网络连接问题: 检查能否访问 https://ti.hillstonenet.com.cn
  • 查询超时: 默认超时30秒,可在config.json中调整timeout参数
  • 编码问题: 确保系统支持UTF-8编码
  • 日志查看: 日志文件位于 ~/.openclaw/logs/hs_ti.log

English

  • Invalid API Key: Ensure you are using a valid Hillstone API Key
  • Network Connection Issues: Check if you can access https://ti.hillstonenet.com.cn
  • Query Timeout: Default timeout is 30 seconds, can be adjusted in config.json
  • Encoding Issues: Ensure your system supports UTF-8 encoding
  • Log Viewing: Log file is located at ~/.openclaw/logs/hs_ti.log

Files

14 total
Select a file
Select a file to preview.

Comments

Loading comments…