ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Qiuqiu Helper

v0.1.0

Automates workspace tasks including summarizing recent changes, adding timestamped notes, and cleaning old log files.

0· 1.8k·2 current·2 all-time
by@mmogdeveloper
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes plausible workspace helper actions (summaries, appending notes, cleaning logs) that match the skill name. However the package provides no human-readable description and declares no config paths or permissions even though its functionality implies filesystem access. That lack of declaration is an inconsistency worth noting.
!
Instruction Scope
Instructions permit writing/ appending to a 'memory folder' and deleting log files in a 'current logs directory' but do not specify exact paths, safety checks, or limits. The guidance is open-ended ('defaults to current logs directory', 'Just call it'), giving the agent broad discretion to read/write/delete files — this is a risky scope gap for a skill that manipulates filesystem data.
Install Mechanism
Instruction-only skill with no install steps or code files. No downloads or third-party packages are involved, which minimizes install-time risk.
Credentials
The skill declares no environment variables or credentials, which is appropriate for simple workspace tasks. However it references implicit locations (memory folder, logs directory) without declaring required config paths or asking for explicit directories, so filesystem access needs are not explicitly surfaced.
Persistence & Privilege
always:false and no special privileges requested. The skill can be invoked autonomously by the agent (platform default), which is expected; this is not by itself a red flag. There is no request to persist configuration or modify other skills.
What to consider before installing
This skill could be useful, but it currently leaves important details unspecified. Before installing or enabling it, ask the author to: (1) provide a clear description of purpose and intended scope; (2) explicitly declare/configure the exact directories it will write to (memory folder) and clean (logs directory); (3) implement and document safety checks (limit file patterns, require user confirmation before deletion, provide a dry-run mode, avoid recursive deletes by default); (4) restrict operations to a workspace-specific directory and run with least privilege; and (5) add audit/logging so changes are visible. If the author cannot clarify these points, treat the skill as risky because it could delete or overwrite files unexpectedly.

Like a lobster shell, security has layers — review code before you run it.

latestvk97beprqd1d5deykbn8s70g8q580b47z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments