ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DashScope LLM

v1.0.1

通过阿里云 DashScope 的 OpenAI 兼容 API 发送简单单轮对话请求,用于快速 LLM 测试、提示词实验或一次性文本生成。

0· 14·0 current·0 all-time
by彭震东@pengzhendong
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (send single-turn chat to DashScope's OpenAI-compatible API) matches the included script: it constructs an OpenAI client pointed at https://dashscope.aliyuncs.com/compatible-mode/v1 and sends a single user message. No unrelated capabilities are present.
Instruction Scope
SKILL.md and scripts/cli.py limit behavior to reading DASHSCOPE_API_KEY from the environment, issuing one chat completion call, and printing the result. The instructions do not request unrelated files, system config, or external endpoints beyond the DashScope URL.
Install Mechanism
There is no install spec and only a small instruction-only script is included. Nothing is downloaded or written to disk during install, so install risk is low.
!
Credentials
The code and SKILL.md require DASHSCOPE_API_KEY, but the registry metadata lists no required environment variables or primary credential. That inconsistency is a red flag: the skill legitimately needs one API key (proportionate), but the metadata omission harms discoverability and could indicate sloppy or intentionally misleading packaging.
Persistence & Privilege
The skill does not request persistent presence (always:false) and does not modify system or other-skill configuration. It only runs on invocation and has no elevated privileges.
What to consider before installing
This skill appears to do exactly one thing: send a single chat message to DashScope and print the reply. Before installing or using it: 1) Note the metadata omission — the script requires DASHSCOPE_API_KEY even though the registry lists none; ask the publisher to correct this. 2) Only provide a DashScope API key with minimal scope and rotate it after testing. 3) Because the source/homepage is unknown, review the small script yourself (or run it in an isolated environment) to confirm it only calls the stated endpoint. 4) Ensure you have the expected openai Python package version (to avoid behavioral surprises). If you need higher assurance or will use sensitive prompts/keys, prefer a published package from a known source or vendor-provided connector.

Like a lobster shell, security has layers — review code before you run it.

latestvk978ytnqts2ery87wz6nfry66984961k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments