ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

mufi-admin

v1.0.0

Manage MUFI events by creating and connecting festivals, campaigns, frame templates, and frames with specified details and images via admin.muinfilm.com.

0· 355·0 current·0 all-time
by@mupengi-bot
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes exactly the MUFI admin UI workflows (events, campaigns, frame templates, frames) so the required actions align with the stated purpose. However the skill does not declare any credentials or auth mechanism while the admin site necessarily requires login, which is an unexplained omission.
!
Instruction Scope
Instructions include precise DOM manipulation snippets (document.querySelector / evaluate to click date cells and save buttons) and recommend using a browser profile named 'openclaw'. These runtime instructions directly manipulate the admin UI and assume access to a logged-in browser profile — they do not describe authentication, nor do they limit or validate actions, which could cause unintended admin changes if run autonomously.
Install Mechanism
No install spec or external code is provided; the skill is instruction-only, so it does not write files or download archives.
Credentials
No environment variables or credentials are requested, yet the skill expects use of a specific browser profile and an authenticated session. The absence of declared credential handling is a proportionality gap: the agent will need access to a logged-in session but the skill gives no guidance on safe handling of those credentials or sessions.
Persistence & Privilege
always:false (normal). The skill can be invoked autonomously (platform default). Given it performs admin UI actions, autonomous invocation could make sensitive changes; this is not a platform misconfiguration but is operationally significant and should be considered before enabling autonomous runs.
What to consider before installing
This skill is an instruction-only guide for automating MUFI admin UI tasks; the content itself matches that purpose. However it assumes an authenticated browser session (mentions a profile named 'openclaw') but does not explain how to authenticate or how credentials are handled. Before installing or allowing autonomous use: 1) Confirm how you will provide authentication (do not upload or share full browser profiles unless you trust the skill/source). 2) Prefer manual review or sandboxed testing of the DOM-eval snippets — they execute clicks and could save unintended changes. 3) If you plan to allow autonomous invocation, restrict or monitor runs so the skill can't perform wide-ranging admin changes without human approval. 4) Ask the publisher for clarification about authentication and whether the 'openclaw' profile is required or a local convenience tip. If you cannot verify those details, treat this skill cautiously or test it in a non-production environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b2phn1pwvc3fth7rzv6f835820b16

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments