ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

jike-data-service

v1.0.0

极客数据服务 — 抖音内容营销数据平台。为荣耀手机提供竞品分析、内容对标、热点追踪等数据能力。覆盖场景包括:对标账号搜索、热点关键词搜索、平台热点搜索、选题内容建议、对标内容寻找。支持按品牌(荣耀/华为/小米/OPPO/vivo/苹果/三星)、粉丝量、内容标签(拍摄/电池/屏幕/AI/外观/性能/游戏/评测/开箱...

0· 75·0 current·0 all-time
by@mzoob
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description match the included CLI (scripts/ry-data.py) and default base URL (https://ry-api.dso100.com). The requested binary (python3) is appropriate. However, the skill metadata lists no required environment variables while the runtime clearly needs an API secret (RY_DATA_SECRET_KEY or config.json.secret_key) to function — a capability/requirement mismatch.
Instruction Scope
SKILL.md provides detailed runtime instructions and enforces use of the shipped script (no direct curl). The instructions confine actions to the service's API and reading scripts/config.json. They do not instruct reading unrelated system files or exfiltrating other credentials. The only scope concern is that the SKILL.md mandates an API secret but the manifest did not declare it.
Install Mechanism
This is an instruction-only skill with no install spec; risk is low. The included Python script uses standard libraries and performs HTTP(S) requests. No downloads, archives, or external installers are executed.
!
Credentials
The CLI requires an API key (reads RY_DATA_SECRET_KEY or config.json.secret_key) and will send it in the X-API-Key header to the configured base URL. Yet the skill's manifest declared 'Required env vars: none'. Additionally, the script supports an override RY_DATA_BASE_URL not documented in SKILL.md metadata. Asking for an API secret without declaring it is a proportionality/information transparency issue — users must know they will supply a credential that will be transmitted to an external host.
Persistence & Privilege
always is false and the skill does not request system-wide persistence. The script only reads its own scripts/config.json and environment variables; it does not modify other skills or system settings.
What to consider before installing
This skill is a CLI wrapper that calls https://ry-api.dso100.com and requires an API secret (set RY_DATA_SECRET_KEY or put secret_key in scripts/config.json). Before installing: 1) Verify you trust ry-api.dso100.com and the skill author (source is unknown). 2) Don’t supply high-privilege credentials — use a least-privileged API key scoped only to the data needed. 3) Note the manifest did not declare the required env var; consider asking the publisher to update metadata to list RY_DATA_SECRET_KEY (and document RY_DATA_BASE_URL). 4) Inspect scripts/config.json and scripts/ry-data.py yourself (they’re included) to confirm endpoints and behavior. 5) If you will allow autonomous invocation, remember the skill can call the external API with your provided key — only enable it if you trust the service and key usage policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk9726pr00gmezhk1mdandmt7z583h4bj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
Binspython3

Comments