ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Anime Meme Collector

v0.1.0

Daily collection and management of anime/ACG memes and trending phrases from Chinese internet. Automatically fetches from Bilibili and other platforms to bui...

0· 304·1 current·1 all-time
byLimin Zhao@noblegasesgoo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual components: a collection script, local reference files, and instructions to run or cron it. There are no unrelated resource requests (no cloud creds, no unrelated binaries).
Instruction Scope
SKILL.md only instructs running the included Python script and referencing local files when answering; it does request outbound web fetches from Bilibili and Zhihu which is consistent with its purpose. Note: the instructions propose adding a cron job (either system cron or OpenClaw cron) — that is expected for scheduled collection but the user should confirm before enabling automated scheduling.
Install Mechanism
No install spec (instruction-only with one bundled script). Nothing is downloaded or installed during runtime beyond the script running with standard Python libraries.
Credentials
The skill requires no environment variables, credentials, or config paths. All network access uses public endpoints and the script stores results under the skill's references directory — credential requests would be disproportionate and none are present.
Persistence & Privilege
always is false and the skill does not request elevated or system-wide config changes beyond advising a cron job. Autonomous model invocation is allowed (platform default) but not combined with other concerning privileges.
Assessment
This skill is coherent and local: it fetches public data and updates a local JSON of memes. Before installing or enabling scheduled runs, review the included script and consider: (1) the script disables SSL certificate verification (in create_ssl_context) which weakens TLS checks — consider enabling verification; (2) the code performs outbound requests to public APIs (Bilibili, Zhihu) so your host's IP will contact those services and may be rate-limited or subject to terms of service — run it responsibly; (3) the script appears to have some brittle regex/logic (harmless but may miss/extract wrong text) — test manually by running the script once; (4) only enable the cron job if you want automatic network access on a schedule. If you want extra safety, run the script in an isolated environment or container and inspect logs/outputs before granting persistent scheduling.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fsetdn4r8fbktrym60qjens82644g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments