ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ifly-text-proofread

v1.0.0

iFlytek Official Document Proofreading (公文校对) — detect and correct errors in Chinese text including typos, punctuation, word order, factual mistakes, sensiti...

0· 124·0 current·0 all-time
byIflytek AIcloud@qingzhe2020
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name, description, SKILL.md, and included Python script are coherent: they implement an iFlytek 公文校对 client that needs iFlytek credentials and calls the listed endpoint. Functionality requested (proofreading via iFlytek) matches the code and docs.
!
Instruction Scope
The runtime instructions (SKILL.md) and the script require three environment variables (IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET) and perform network calls to https://cn-huadong-1.xf-yun.com/v1/private/s37b42a45. The SKILL.md does not instruct reading unrelated system files or exfiltrating data elsewhere, but it does require secrets which are not declared in the registry metadata.
Install Mechanism
No install spec is provided (instruction-only with a bundled script). This is lower risk than downloading/executing remote binaries; the included script is pure Python stdlib and uses urllib for HTTPS POSTs.
!
Credentials
The skill requires three sensitive environment variables (IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET) in order to function, but the registry metadata lists no required env vars or primary credential. That mismatch is disproportionate/unexpected and should be corrected. The requested env vars are appropriate for an API client, but they must be explicitly declared so users understand credential requirements.
Persistence & Privilege
The skill does not request always:true, has no installs that modify system state, and will only run when invoked. There is no evidence it attempts to persist or escalate privileges.
What to consider before installing
This skill appears to be a legitimate client for iFlytek's proofreading API, but the registry metadata is inconsistent: it does not declare the three required environment variables (IFLY_APP_ID, IFLY_API_KEY, IFLY_API_SECRET) or a primary credential even though both SKILL.md and the included Python script require them. Before installing or providing credentials: (1) Verify the skill publisher and source — the package lists no homepage and an unknown owner ID. (2) Confirm you are willing to provide your iFlytek credentials to this skill; only provide API keys you trust with network access. (3) Review the script locally (it is included) to confirm it only sends data to the documented iFlytek endpoint; note the script sets a Host header of api.xf-yun.com while posting to cn-huadong-1.xf-yun.com — this may be part of the official signature scheme but is worth verifying against iFlytek docs. (4) Ask the publisher/registry to correct metadata to list required env vars and a primaryEnv so users can make an informed decision. If you cannot verify the source or do not want to expose your API keys, do not install or run the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fr5k56vp8dw7ypwbc73r2jh834b5n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments