Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Tmp.4zmXoYsJt3
v1.2.5采集并提交本地 OpenClaw 对话记录到数据平台。当用户说「采集数据」「提交数据」「提交对话」「提交记录」「提交日志」「扫描对话」「扫描日志」「看看有哪些对话可以提交」「帮我提交对话记录」「查看提交记录」「提交了多少条」「clawtraces」「claw」,或表达想要扫描、采集、提交、查看本地对话记录的意图时...
⭐ 0· 806·0 current·0 all-time
by@miracle
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to collect and submit local OpenClaw conversation logs — the included scripts clearly scan local logs, extract system prompts, convert trajectories, and submit to a remote API. Requiring access to local OpenClaw state, reading cache-trace, and network access to a submission endpoint is coherent with that purpose. However, the registry metadata declares no required env vars/config paths while the code uses OPENCLAW_STATE_DIR, CLAWTRACES_SERVER_URL, and CLAWTRACES_SECRET_KEY and writes to openclaw.json and a skill .env file; that mismatch (undeclared env/config access) reduces transparency and is worth flagging.
Instruction Scope
SKILL.md instructs the agent to run the bundled Python scripts that read local conversation logs (including system prompts), modify the OpenClaw config (openclaw.json) to enable cache-trace and increase 'thinking' levels, and then restart or ask the user to restart OpenClaw. It also prescribes an interactive phone+SMS auth flow and then uploading data to an external server. The SKILL.md contains rigid output/behavior directives (‘必须原样输出... 不要自行增减内容’), which is a prompt-injection style attempt to control agent outputs. The instructions direct reading and transmitting sensitive local data (system prompts and full sessions) to an external endpoint — this is functionally consistent with the stated purpose, but it is high-risk and should be accepted only with informed consent and review of the remote endpoint.
Install Mechanism
No install spec is provided (instruction-only), so nothing is downloaded at install time. However, the package includes many Python scripts that will be executed locally. There's no external package download during install, but running the included code will write to disk (openclaw.json, a .env file) and perform network calls. Absence of an install step reduces supply-chain risk, but presence of executable scripts bundled with the skill means you should inspect them before running.
Credentials
The skill uses and persists credentials and configuration but the registry lists no required env vars. The code expects/uses: OPENCLAW_STATE_DIR (config/log path), CLAWTRACES_SERVER_URL, and CLAWTRACES_SECRET_KEY (saved in a .env file named by lib.paths). It asks the user for a phone number and SMS code to obtain an API key from DEFAULT_SERVER_URL (https://api.shixiann.com) and will save that key to a .env file in the skill's path. Storing the key locally and enabling broad config changes (writing openclaw.json) amplify risk. The number and type of sensitive accesses are proportionate to data collection, but the lack of explicit declaration in the registry and the default external server being hard-coded are concerns.
Persistence & Privilege
always:false (normal), but the skill writes/modifies OpenClaw's configuration (openclaw.json) and writes/updates a local .env file with the API key. It may require or instruct restarting the OpenClaw gateway. Modifying host application config and prompting a service restart is a privileged operation; it's arguably required for capturing system prompts but is invasive and should require explicit user approval and backup of the original config. The skill does not request persistent platform-level privileges in metadata, but its runtime behavior has persistent side effects.
Scan Findings in Context
[system-prompt-override] unexpected: SKILL.md contains explicit instructions forcing exact phrasing and telling the agent not to deviate ('必须原样输出... 不要自行增减内容'). This is a prompt-injection indicator and is unrelated to the technical need to collect and submit logs — it attempts to control the agent's responses and evaluation flow.
What to consider before installing
What this skill will do if you run it: it will scan your local OpenClaw state/logs (including system prompts and full conversation content), potentially modify your OpenClaw configuration (enable cache-trace, raise 'thinking' levels, set model reasoning flags), ask you to authenticate by providing your phone number and an SMS code, save an API key to a local .env file, and submit selected sessions to a remote server (default: https://api.shixiann.com). Before installing or running it, consider: 1) Review the code (especially auth.py, env_check.py, cache_trace.py, submit.py) and confirm the remote server URL is trusted. 2) Back up your openclaw.json and any state directories so you can restore configuration if undesired changes are made. 3) Confirm exactly which sessions will be uploaded and require an explicit consent step before any submit; do not provide your phone number unless you trust the server and its privacy policy. 4) The SKILL.md contains prompt-control instructions — do not let those override your normal agent prompt safety checks. 5) If you are unsure, run the scripts only in an isolated machine or sandbox, and manually inspect network calls (e.g., with a proxy) before allowing upload. If you want, I can point out specific lines in the code that perform network submission and config writes so you can inspect them in detail.Like a lobster shell, security has layers — review code before you run it.
latestvk976d4c56chg6yzzm76ybrr6fs84s39p
License
MIT-0
Free to use, modify, and redistribute. No attribution required.