Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Ops
v1.0.0ClawHub Skill 发版、账号管理、SEO 优化、数据查询的完整操作手册。当需要发布新 Skill、切换账号、查询 downloads 数据、排查发版归属问题、验证 IP 代理时使用。包含 5 个账号的 token/IP 对照、双 config 路径陷阱、已知 CLI Bug、速率限制规则。
⭐ 0· 52·1 current·1 all-time
bypeandrover adam@peand-rover
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be an operations manual for publishing/account/SEO/data tasks, which can legitimately require account tokens and proxy usage. However, the package embeds five full account tokens, proxy credentials, and a GitHub PAT inside references/accounts.md while the registry metadata declares no required credentials or config paths. Embedding secrets in the skill bundle (rather than declaring them or prompting) is inconsistent and surprising for a published skill.
Instruction Scope
SKILL.md instructs the agent to read and write user config files (~/'Library/Application Support/clawhub/config.json' and ~/.config/clawhub/config.json), run network calls via proxies, and run npx to publish using HTTPS_PROXY. It also references local filesystem paths (/Users/user/.openclaw/..., ~/.config/github/pat_imo14reifey) and a local HTTP proxy (127.0.0.1:7897). Those instructions go beyond read-only documentation: they direct writing credentials to disk and executing networked commands on the host.
Install Mechanism
There is no install spec (instruction-only), which reduces installer risk. However, runtime instructions call 'npx clawhub@latest publish', which fetches and executes remote npm code dynamically. Using npx@latest is a live code download/execution vector and should be treated as non-trivial risk even though no static install is declared.
Credentials
The skill bundle contains multiple sensitive secrets (five 'clh_*' tokens, proxy credentials including username/password, and a GitHub PAT) and instructs their placement into user config files. The registry metadata did not declare any required environment variables or config paths, so the presence of those secrets is disproportionate and unexpected. Storing/using a GitHub PAT from a host path is particularly high-risk.
Persistence & Privilege
always:false and normal invocation are fine, but the instructions explicitly persist tokens into user config files and reference a workspace script path. That means the skill's recommended actions will create persistent credentials on the host (and could be reused later), which increases blast radius even though the skill itself is not marked 'always:true'.
What to consider before installing
This package is suspicious because it ships plaintext secrets (account tokens, proxy creds, a GitHub PAT) and tells you to write them into local config files and to run npx (which executes code fetched from the network). Before installing or using it: do not run any of the provided commands on a machine with real credentials; treat the embedded tokens as compromised and rotate them if they belong to you; ask the publisher for provenance (who published this and why are secrets included); if you must test, use an isolated sandbox or disposable VM with no sensitive data; remove hard-coded secrets from the files and replace with managed secrets or prompts; avoid running 'npx ...@latest' blindly — pin versions or inspect the package first. If you didn't expect a skill to contain credentials, decline to install it.Like a lobster shell, security has layers — review code before you run it.
latestvk970zsr594yb0ghn05y968zpk583hpaf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.