ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

通过 JumpOnce 代理服务访问海外被封禁的 API(币安 US、GitHub、Google、OpenAI 等),支持 HTTP 转发和 WebSocket 透传,出口节点位于 Oracle Cloud 美国凤凰城

v1.0.0

Access overseas/external URLs via JumpOnce proxy service (jumptox.top). Use when: (1) needing to fetch content from websites blocked or unreachable from the...

0· 18·0 current·0 all-time
by@men459
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill's name/description (HTTP/WS forwarding via JumpOnce) matches the included code and docs: the script and API reference perform proxy forwarding. However the registry metadata does not declare the required JUMPONCE_API_KEY environment variable even though SKILL.md and scripts require it — this mismatch is an incoherence that should have been declared in requires.env.
!
Instruction Scope
SKILL.md explicitly instructs the agent/user to obtain and use an API key and to 'save it in workspace TOOLS.md for persistent access' (this encourages storing secrets in plaintext). The bundled script and references use the base URL 'http://api.jumptox.top' (plain HTTP) which would send Authorization headers and API keys without TLS if used as-is. The instructions permit forwarding arbitrary target URLs and WebSocket connections, which is functionally necessary for a proxy but also gives broad discretion that can be abused for exfiltration or connecting to malicious endpoints.
Install Mechanism
There is no formal install spec (instruction-only with one helper script included). The README suggests 'pip install jump-once' (an external/unknown PyPI package) — pulling an unvetted package is a moderate risk if followed. The included helper script itself is small and straightforward and does not contain obfuscated or unexpected behavior.
!
Credentials
The skill requires a single API key for the proxy service, which is proportionate to the functionality, but the registry did not declare this required env var. Worse, the documentation suggests saving the key in a workspace file (TOOLS.md), which is insecure. Also the script posts the API key to an HTTP endpoint (api.jumptox.top) — transmitting secrets over plain HTTP is a significant security issue.
Persistence & Privilege
The skill does not request always:true and has no declared system-wide persistence. Autonomous invocation is enabled (default) — that is normal — but note that giving an agent access to this skill effectively grants it the ability to reach external/blocked networks via the proxy, increasing the agent's network capabilities and blast radius.
What to consider before installing
This skill does what it says (forwards HTTP/WebSocket traffic through jumptox.top), but there are red flags you should consider before installing: (1) the registry metadata fails to declare the required JUMPONCE_API_KEY — expect to provide that secret yourself; (2) the docs instruct storing the key in a workspace file (TOOLS.md) — don’t store secrets in plaintext files; use a secure secret store or environment variable instead; (3) the provided examples and script use http://api.jumptox.top (plain HTTP) which would expose your API key in transit — confirm the provider supports HTTPS and update calls to use TLS; (4) the README suggests installing an external package 'jump-once' from PyPI — only install it after vetting the package source and contents; (5) be aware that enabling this skill gives an agent network relay capability to access sites your local network blocks (including services you may not want the agent to contact). If you still want to use it: verify the provider's identity/trustworthiness, require HTTPS endpoints, avoid storing keys in repo/workspace files, add the required env var to the skill metadata, and review any third-party packages before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk976xzptjpapny87kycy744j058558ja
18downloads
0stars
1versions
Updated 5h ago
v1.0.0
MIT-0
@men459
latest
Download

JumpOnce Proxy

Forward HTTP/WS requests through JumpOnce proxy to access overseas resources.

Setup

Get API Key

  1. Register & login at panel.jumptox.top
  2. Go to Console → API Keys → Create
  3. Copy the key (starts with jk_live_)

Configure

export JUMPONCE_API_KEY="jk_live_xxxxxxxxxxxx"

Or save it in workspace TOOLS.md for persistent access.

Quick Usage

Option A: Python SDK

pip install jump-once

from jump import Client

client = Client(api_key="jk_live_xxxxxxxxxxxx")

# HTTP GET
result = client.http.forward(url="https://example.com/api")
print(result.status_code, result.body)

# HTTP POST
result = client.http.forward(
    url="https://api.example.com/data",
    method="POST",
    body='{"key": "value"}',
    headers={"Content-Type": "application/json"},
)

Option B: Direct API Call

import requests

resp = requests.post(
    "http://api.jumptox.top/api/v1/http/request",
    json={
        "url": "https://example.com/api",
        "method": "GET",
        "headers": {},
        "params": {},
        "timeout": 30,
    },
    headers={"Authorization": "Bearer jk_live_xxxxxxxxxxxx"},
)
print(resp.json())

Option C: Bundled Script

python scripts/forward_request.py --url "https://example.com" --api-key "jk_live_xxx"

Use --raw flag for unparsed response, --body for POST data.

Endpoints

  • Structured forward: POST /api/v1/http/request — returns {code, data: {statusCode, headers, body, elapsed}}
  • Raw passthrough: POST /api/v1/http/raw — returns target's raw response
  • WebSocket: See API Reference for channel management

Limits

  • HTTP body: 10 MB | Timeout: 120 s | Redirects: 5
  • Allowed ports: 80, 443, 8080, 8443
  • WS frame: 1 MB | WS idle: 30 min

Full API docs: references/api-reference.md

Comments

Loading comments...