Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
YesApi 果创云低代码平台
v1.1.0封装YesApi果创云低代码平台API,支持管理表单结构与执行表单数据的增删改查及批量操作。
⭐ 0· 72·0 current·0 all-time
bydogstar@phalapi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description, SKILL.md, and the Python client (yesapi_client.py) all consistently implement a YesApi (果创云) API client for managing forms and data — the requested capabilities match the stated purpose. However, the registry metadata at the top of the submission claims there are no required environment variables, while SKILL.md and the code require YESAPI_APP_KEY, YESAPI_DOMAIN, and YESAPI_SIGN. This metadata mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md and the code focus only on YesApi API operations (list/create/delete models, query/insert/update/delete/batch operations). The runtime instructions and code do not access unrelated system files or external endpoints beyond the configured YesApi domain. Note: the skill (and tests) perform potentially destructive actions (create/delete models, batch delete/update), so users should be aware that invoking the skill can modify remote data.
Install Mechanism
There is no install spec — this is essentially an instruction+code package that relies on Python and listed dependencies. No downloads from arbitrary URLs or executable installers are present. Dependencies are standard Python packages declared in requirements.txt.
Credentials
The environment variables required by SKILL.md and code (YESAPI_APP_KEY, YESAPI_DOMAIN, YESAPI_SIGN) are appropriate for an API client and are a small, focused set of secrets. The concern is that the registry metadata omitted these required env vars, and the code auto-loads .env via python-dotenv, which may read a local .env file unexpectedly — users should ensure they supply only intended credentials and understand where credentials are read from.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or system-wide configurations. It creates a global handler instance on import (normal for convenience) and otherwise has standard, limited presence.
What to consider before installing
This package appears to be a legitimate YesApi client, but take these precautions before installing or providing credentials:
- Verify and fix the metadata discrepancy: the registry entry claims no required env vars, but SKILL.md and the code require YESAPI_APP_KEY and YESAPI_SIGN (and optionally YESAPI_DOMAIN). Ask the publisher to correct registry metadata so automated tooling can surface required secrets.
- Treat YESAPI_APP_KEY and YESAPI_SIGN as sensitive secrets. Do not provide production credentials until you confirm the skill's source and trustworthiness.
- The skill (and included test script) can create and delete models and perform batch updates/deletes. Test in a non-production account or sandbox to avoid accidental data loss.
- Note that yesapi_client.py calls dotenv.load_dotenv() on import, which will read a local .env file if present; ensure that file does not contain other secrets you don't want the skill to see.
- Review the code (yesapi_client.py and skill_handler.py) yourself or run it in an isolated environment to confirm behavior and to verify the domain (default https://api.yesapi.net) matches your expected endpoint.
If the publisher cannot explain the registry/metadata mismatch and provide a trustworthy source, avoid supplying real credentials and treat the skill as untrusted.Like a lobster shell, security has layers — review code before you run it.
apivk973qevzjd0wkqgkhmxjrbqk2183f5ywdatabasevk973qevzjd0wkqgkhmxjrbqk2183f5ywformvk973qevzjd0wkqgkhmxjrbqk2183f5ywlatestvk973qevzjd0wkqgkhmxjrbqk2183f5ywlowcodevk973qevzjd0wkqgkhmxjrbqk2183f5ywyesapivk973qevzjd0wkqgkhmxjrbqk2183f5yw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.