ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

附近取款机

v0.1.0

Find nearby ATMs. Invoke when user asks for cash withdrawal near me.

0· 82·0 current·0 all-time
by@mikeclaw007·duplicate of @codekungfu/atms
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name and description match the declared inputs/outputs (location in, ATMs list out). The skill does not request any extra credentials or binaries, which is proportionate. However, the SKILL.md does not specify any data provider/API for ATM lookup (no mapping provider, POI datasource, or API endpoint), so it is unclear how results are obtained — this gap is noteworthy.
!
Instruction Scope
The instructions require an input location and describe response fields, errors, and privacy guidance, which is fine, but they also link to a STANDARD_RESPONSE.md using an absolute local file URL (file:///Users/mac_lkm/...). That references a developer-local path that won't exist in most runtimes and suggests the agent might try to read local files or rely on out-of-skill artifacts. The SKILL.md gives no direction on which external API, provider, or dataset to call; this vagueness grants the agent broad discretion to choose data sources or make arbitrary network calls.
Install Mechanism
Instruction-only skill with no install spec and no code files. This minimizes install-time risk.
Credentials
The skill declares no required environment variables, credentials, or config paths — appropriate for a simple lookup skill. There are no hidden credential requests in the instructions.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent presence or to modify other skills or system-wide settings.
What to consider before installing
This skill looks conceptually correct for 'find nearby ATMs' but the runtime instructions are incomplete and reference a local file path (file:///Users/...) for the response schema. Before installing or enabling it, verify: 1) which data provider or API the skill will use to find ATMs (Google/Mapbox/OpenStreetMap or an internal dataset), and whether API keys are needed; 2) remove or replace the absolute local file:// link with an embedded schema or a reachable URL so the agent won't attempt to read arbitrary local files; 3) confirm that the agent will only use the user's location after explicit consent and that precise coordinates will not be stored; 4) if you expect the skill to call external services, ensure those endpoints are trusted and that rate-limiting and error handling are defined. If these details are not provided, treat the skill as potentially unsafe to run autonomously because it could make arbitrary network requests or try to access local files.

Like a lobster shell, security has layers — review code before you run it.

latestvk97725p3tsjwy9pdkmk96cgbjn83fqjp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments