ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawBrain Doctor

v1.2.0

诊断你的 OpenClaw 配置和运行状态,基于 v1.2 的输出验证、模型健康监控、知识图谱检查、记忆来源标注、降级通知和长对话截断诊断

0· 142·0 current·0 all-time
by@michaelfeng
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill promises comprehensive 'diagnose OpenClaw configuration and runtime' but the SKILL.md only offers high-level guidance and three curl calls to api.factorhub.cn. It does not show any mechanism to read local OpenClaw configs, logs, or runtime state—so its actual capability is narrower than its description suggests.
!
Instruction Scope
Runtime instructions instruct running curl against api.factorhub.cn endpoints (including an Authorization: Bearer header example) but do not explain how the agent obtains the API key. The instructions do not reference any local files/configs, so they cannot perform the on-agent checks the description promises. The external endpoints are not documented (unknown domain).
Install Mechanism
Instruction-only skill with no install spec and only requires curl (declared). This is low-risk from install/execution perspective.
!
Credentials
SKILL.md examples use an Authorization: Bearer token, but the skill declares no required environment variables or primary credential. This mismatch—example commands needing an API key while the skill doesn't request or document how that key is provided—is a proportionality and transparency concern.
Persistence & Privilege
always:false and no install steps; the skill does not request persistent presence or elevated system privileges.
What to consider before installing
This skill is inconsistent: it promises local diagnostics but only shows remote API checks and example curl commands that require an API key that the skill does not declare. Before installing or running it: 1) verify the operator/domain (api.factorhub.cn and clawbrain.dev) and look for an official homepage/source repository; 2) do not paste or expose your API key to an unknown skill — prefer running the shown curl commands yourself from a trusted shell; 3) ask the author to document required credentials (e.g., OPENCLAW_API_KEY) and to explain how the skill will access local agent configs/logs if it truly diagnoses runtime state; 4) if you need local diagnostics, prefer a skill that explicitly requests read access to specific config/log paths or provides reproducible local commands. Proceed only if you trust the external endpoints and the skill author and after they fix the credential/documentation gaps.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ff0374pe7r8v9bb7gdkjth984j2dt

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🩺 Clawdis
Binscurl

Comments