ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

妙达网页抓取

v1.0.0

Use when user needs to crawl or fetch a specific URL to extract/summarize its content. Provides necessary command usage instructions for fetching known URLs....

0· 101·4 current·4 all-time
by@nice1234-h
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name and description claim simple webpage fetch/extract functionality, which is coherent. However, the SKILL.md explicitly requires running `miaoda-studio-cli web-crawl` (and references `miaoda-studio-cli search-summary`), yet the skill declares no required binaries or install steps. That omission is a capability–requirement mismatch: either the CLI should be declared/installed or the instructions should not depend on it.
Instruction Scope
Instructions are narrowly scoped to invoking the `miaoda-studio-cli` commands with URL and output options and to using a companion search skill. They do not instruct reading arbitrary local files or environment variables, nor do they direct data to unexpected remote endpoints. The main issue is the instruction's implicit dependency on an external CLI not declared in metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files. That lowers direct installation risk, but it also means it assumes the runtime already provides `miaoda-studio-cli`. The lack of an install specification or verification step for that CLI is an omission that can lead to runtime failures or substitution attacks if an untrusted CLI is present.
Credentials
The skill requests no environment variables, credentials, or config paths. There are no disproportionate secret requests.
Persistence & Privilege
The skill does not request always: true or other elevated persistence. It is user-invocable and allows normal autonomous invocation behavior by default.
What to consider before installing
This skill appears to be a thin wrapper around an external CLI (`miaoda-studio-cli`) but does not declare or install that CLI. Before using: (1) verify whether `miaoda-studio-cli` is already installed in your agent environment and ensure it comes from a trusted source; (2) prefer a skill that declares its dependencies or provides an install method, or add the required binary to your environment from an official release; (3) inspect the `miaoda-studio-cli` implementation (or its package) to confirm it won't exfiltrate sensitive data or execute unintended actions; (4) if you cannot verify the CLI, avoid granting the agent autonomous access to run tools that can fetch external URLs. Providing the CLI's origin or adding a proper install spec would reduce this concern.

Like a lobster shell, security has layers — review code before you run it.

latestvk977d4yxnwsgpn8b4t76xaw1c983tp4e

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments