ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nomtiq

v0.4.6

Nomtiq — finds restaurants worth going to. No rankings, no ads. Remembers your taste, knows your budget. 小饭票:找餐厅、推荐餐厅、吃什么、附近好吃的。

2· 481·0 current·0 all-time
by@oakcoderx
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The scripts and SKILL.md implement searches (地图/Google/Yelp/Reddit), user taste profile management, and optional anonymous sharing to a Moltbook endpoint — all coherent with a restaurant‑finder. However the registry metadata at the top of the evaluation said “Required env vars: none” while SKILL.md and AGENT_GUIDE list AMAP_KEY, SERPER_API_KEY, and MOLTBOOK_API_KEY; that mismatch is unexpected and should be clarified.
!
Instruction Scope
Runtime instructions and AGENT_GUIDE tell the agent to run many Python scripts that read/write local profile files, call multiple external APIs, and optionally post anonymous reviews to Moltbook. The SKILL.md contains a detected 'unicode-control-chars' injection pattern which could be used to manipulate downstream LLM prompts. Also promotion documentation and scripts discuss broadcasting/marketing the skill (posting examples to social platforms) — this increases the chance user data might be shared if options are enabled. Overall the actions go beyond purely local recommendation text-generation and include external network activity and optional data sharing.
Install Mechanism
No package download/install spec; it's instruction+scripts that run with system Python. No remote installers or archive downloads were requested in the manifest, which reduces install risk. The code files are present and executed locally.
Credentials
Requested API keys (AMAP_KEY for Amap, SERPER_API_KEY for Serper, MOLTBOOK_API_KEY for Moltbook) are proportionate to the stated external calls. But the top-level registry metadata claiming no required env vars contradicts the SKILL.md's declared env needs; that inconsistency could hide surprising network access. Moltbook posting is opt‑in, but if enabled it would transmit user‑recorded restaurant entries externally (even if claimed 'anonymous').
Persistence & Privilege
The skill is not always:true and doesn't request elevated system privileges. It stores and updates local profile JSON files (expected for personalization) and does not declare modifications to other skills or global config.
Scan Findings in Context
[unicode-control-chars] unexpected: Unicode control characters found in SKILL.md can be used in prompt injection to alter LLM parsing or to hide text; this is not required for a restaurant finder and should be investigated/removed.
What to consider before installing
Things to check before installing or enabling Nomtiq: - Clarify env var requirements: SKILL.md expects AMAP_KEY, SERPER_API_KEY and MOLTBOOK_API_KEY but top‑level metadata listed none. Only provide keys you trust and intend to use. Use least‑privilege keys (e.g., restrict referer/IP and quotas). - Review the scripts (search_*.py, profile.py, moltbook.py) yourself (or in a sandbox) to confirm what data is read, written, and sent. Pay attention to what profile data is posted when you enable Moltbook sharing. - Treat Moltbook sharing as potentially exfiltrative: it will send restaurant records externally (claimed anonymous, limited to 2/day); only opt in if comfortable. - Remove or sanitize any unicode control characters in SKILL.md to eliminate prompt‑injection risk before letting an LLM execute skill prompts. - If you want extra safety, run the skill in an environment with network egress controls (or a proxy) so you can observe and limit outbound requests (especially to third‑party endpoints like google.serper.dev and www.moltbook.com). - If you lack the ability to audit Python code, prefer not to install the skill or only enable it with network access restricted and without enabling Moltbook posting. I have medium confidence in this assessment because the code and instructions mostly align with the declared purpose, but the metadata mismatch and prompt‑injection signal raise nontrivial concerns that should be resolved before trusting the skill with keys or private data.

Like a lobster shell, security has layers — review code before you run it.

latestvk979wv4hdv6hsv2qngphb6h0bx83fav0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments