ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

跨境卫士客户端

v1.0.0

Use this skill when the user wants to call, test, debug, or integrate the 跨境卫士客户端 API defined by the bundled OpenAPI specification. Handles endpoint discover...

0· 68·0 current·0 all-time
by@mosquitood

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for mosquitood/kuajingvs.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "跨境卫士客户端" (mosquitood/kuajingvs) from ClawHub.
Skill page: https://clawhub.ai/mosquitood/kuajingvs
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required binaries: curl, python3
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install kuajingvs

ClawHub CLI

Package manager switcher

npx clawhub@latest install kuajingvs
Security Scan
Capability signals
Requires sensitive credentials
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, the bundled OpenAPI, and the requested binaries (curl, python3) align: this is an instruction-only API client for the provided OpenAPI spec and curl-based testing.
Instruction Scope
SKILL.md stays mostly on-task (read the OpenAPI, construct requests, prefer showing curl, redact secrets). It does instruct the agent to check environment variables and 'local config' for credentials and lists common env var names to try; that is reasonable for an API client but gives the agent discretion to inspect environment variables beyond the skill's own files.
Install Mechanism
No install spec and no code files — instruction-only — so nothing is written to disk by the skill itself. This is the lowest-risk install profile.
!
Credentials
The bundled references/auth.md includes plaintext x-app-id and x-app-secret values. That is unexpected given SKILL.md's rule 'Never expose secrets in full.' Embedding usable credentials in the skill files can cause accidental use or disclosure. The skill does not request unrelated cloud/provider credentials, but the presence of embedded secrets is disproportionate and risky if those keys are real or have any privileges.
Persistence & Privilege
always is false and there is no mechanism to persist or alter other skills or system-wide settings. The skill can be invoked autonomously by the agent (default), which is normal; this is not combined with elevated privileges here.
What to consider before installing
This skill appears to be a straightforward OpenAPI-based API client, but it contains plaintext API credentials in references/auth.md. Before installing: (1) Treat those embedded x-app-id/x-app-secret values as sensitive — verify whether they are just examples or real keys; if real, do not use them for production and rotate/remove them. (2) Confirm the server/base URL is correct (the OpenAPI uses a 127.0.0.1 placeholder). (3) Be aware the SKILL.md tells the agent to check environment variables and local config for credentials — if you install, avoid exposing production secrets in the environment or remove them from the agent's runtime. (4) If you don't trust the embedded credentials, request a version of the skill with auth samples redacted or with instructions to read credentials only from clearly named, user-provided env vars. If you need additional assurance, ask the maintainer whether the credentials are samples and request their removal.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Binscurl, python3
latestvk97518bxtexjdd7rpf1vntj32h85dk9x
68downloads
0stars
1versions
Updated 5d ago
v1.0.0
MIT-0
@mosquitood
latest
Download

跨境卫士客户端

Use this skill when the task involves interacting with the 跨境卫士客户端 API, including:

  • understanding available endpoints
  • generating curl commands
  • filling path, query, header, and body parameters
  • handling authentication
  • testing API requests
  • debugging request and response failures
  • translating user intent into concrete API calls

Bundled references

Before making assumptions about endpoints, request bodies, or response schemas, read the bundled OpenAPI specification from one of the following files:

  • references/openapi.yaml
  • references/openapi.json

If present, also read:

  • references/auth.md

Do not invent endpoints, fields, enum values, request formats, or response shapes that are not defined by the bundled specification or auth notes.

Workflow

  1. Read the OpenAPI spec and identify the correct path and HTTP method.
  2. Determine:
    • base URL or server
    • authentication scheme
    • required headers
    • path parameters
    • query parameters
    • request body schema
    • expected response schema
  3. Translate the user's goal into a concrete API call.
  4. Prefer showing the exact curl command before or alongside execution when that improves transparency.
  5. Use safe shell quoting when constructing commands.
  6. Never expose secrets in full.
  7. Summarize the result clearly, including the HTTP status code and important response fields.

Authentication rules

  • First inspect the OpenAPI spec for the declared security scheme.
  • If references/auth.md exists, follow it as the source of truth for authentication details not fully expressed in the OpenAPI document.
  • If credentials are already available in environment variables or local config, use them.
  • Never print secret values in full.
  • If a token or key must be shown for debugging, redact the middle portion.

Common environment variable patterns to check:

  • BASE_URL
  • API_APP_ID
  • API_APP_SECRET
  • X_APP_ID
  • X_APP_SECRET
  • API_KEY
  • ACCESS_TOKEN
  • BEARER_TOKEN

If the local auth notes define different names, follow those instead.

Request construction rules

Path parameters

Always substitute all required path parameters.

Query parameters

Only include query parameters that are relevant or explicitly requested. Do not send null or empty values unless the API expects them.

Request body

Build JSON request bodies that conform to the schema in the OpenAPI specification. If the schema has required fields, ensure they are present before sending the request.

Headers

Always include:

  • Accept: application/json

Include:

  • Content-Type: application/json

when sending JSON request bodies.

If the API uses custom authentication headers such as x-app-id and x-app-secret, include them on every authenticated request.

Execution pattern

Prefer this style for JSON requests:

curl -sS \
  -X POST "$BASE_URL/example/path" \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  --data '{...}'

Comments

Loading comments...