ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

bearing search skill

v1.0.0

轴承型号和品牌搜索与解析工具。用于处理轴承相关的查询任务,包括: (1) 搜索特定轴承型号的信息(尺寸、规格、用途) (2) 搜索轴承品牌及其产品线 (3) 解析轴承型号编码规则(如 6204-2RS、NU208 等) (4) 轴承选型建议和应用场景匹配 当用户询问轴承型号、品牌、规格参数或选型问题时触发此 sk...

0· 60·0 current·0 all-time
by@openfindbearings
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md and reference docs align with a bearing search/lookup skill. Included reference docs and example data formats are appropriate for the claimed functionality and no unrelated credentials or binaries are requested.
!
Instruction Scope
SKILL.md says data is stored under data/models and data/brands within the project, but scripts/search_model.py's get_data_dir() computes project_dir = skill_dir.parent.parent.parent which (unlike the documentation) climbs multiple levels above the skill directory. This mismatch can cause the script to search for a data/ directory outside the skill (unexpected filesystem access). The script otherwise only reads local JSON files and prints results (no network or env-var exfiltration), but the path bug broadens the files it may open.
Install Mechanism
No install spec (instruction-only plus a small script). No packages downloaded or archives extracted; risk from installation mechanism is low.
Credentials
The skill declares no required environment variables, and the code does not read environment variables or credentials. Requested permissions are proportional to the stated purpose.
Persistence & Privilege
always is false and the skill does not modify other skills or system settings. It has no elevated persistence or special privileges.
What to consider before installing
This skill appears to implement a legitimate bearing lookup, but review the included script before use. The search_model.py's get_data_dir() climbs three directory levels above the skill, which contradicts the SKILL.md and may cause the script to read JSON files outside the project. Actions to consider before installing or running: (1) Inspect and run the script in a sandboxed environment. (2) Verify there is no sensitive data in any parent-level data/ directories that the script could read. (3) Fix the path calculation (use the repository root or the skill folder explicitly; e.g., set project_dir = script_dir.parent or project_dir = Path(__file__).resolve().parent.parent if data is next to the repo root). (4) If you can't change the code, run the skill with limited filesystem permissions or in a container. There are no network calls or credential requests in the code, so the main concern is unintended local file access rather than exfiltration. If you want, provide a copy of the data/ directory layout you plan to use and I can suggest an explicit safe path change.

Like a lobster shell, security has layers — review code before you run it.

latestvk97c3s103frf1e5249zt3s25xs845vc2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments