Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawLine Setup
v0.2.1通过对话一键安装 ClawLine 插件,绑定手机 UUID,查看连接状态或断开连接,无需命令行操作。
⭐ 0· 140·0 current·0 all-time
byqutianxiang@qtx0213
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill says it performs one-click install/config without command-line operations, but SKILL.md and install.txt explicitly call out the CLI command `openclaw plugins install @openclawline/clawline-setup`. The metadata lists no required binaries or config paths even though installing a plugin and writing a UUID to gateway config clearly requires the OpenClaw CLI and permission to modify gateway configuration—this is an incoherence between claimed purpose and required capabilities.
Instruction Scope
Instructions tell the agent to 'write UUID to config and restart gateway' but do not specify which files, what exact commands, or what safety checks to perform. That gives the agent broad discretion to modify local configuration and restart services. The README also contradicts itself (saying no command-line required while showing an explicit CLI install command). Vague, open-ended instructions that modify system config are a scope concern.
Install Mechanism
There is no install spec in the registry bundle, but install.txt and SKILL.md indicate installation via `openclaw plugins install @openclawline/clawline-setup`, which will fetch an npm package. This is a reasonable mechanism for a plugin, but it relies on an external npm package and the OpenClaw CLI—verify the package and its maintainer before installing.
Credentials
The skill declares no environment variables or credentials, which is good, but it implicitly requires the ability to modify OpenClaw gateway configuration and restart the gateway (file and service-level privileges). Those privileges are not declared in metadata and may be more powerful than users expect.
Persistence & Privilege
always is false and the skill is user-invocable; autonomous invocation is allowed (platform default). The skill's capability to edit gateway config and restart services is a high-impact action, but it does not request persistent 'always' inclusion. Users should be cautious about allowing autonomous runs that perform system changes.
What to consider before installing
This skill appears to do what it says (install a ClawLine plugin and bind a phone UUID), but there are inconsistencies and vague instructions you should resolve before proceeding. Specifically:
- The SKILL.md contradicts itself: it says 'no CLI needed' but tells the agent to run `openclaw plugins install ...`. Confirm you have the OpenClaw CLI and are comfortable using it.
- The skill implies it will write to gateway configuration files and restart the gateway; ask exactly which files and commands will be changed and back up those configs first.
- Inspect the npm package (@openclawline/clawline-setup) and the GitHub repository before installing to verify the maintainer and code are trustworthy.
- If you are unsure, perform the plugin install and UUID binding manually (or ask the skill to show exact commands it will run) so you can review each change.
- Do not provide any other credentials or tokens to this skill; it does not declare needing them. If the developer provides more precise install steps or a link to audited code, the assessment could be upgraded.Like a lobster shell, security has layers — review code before you run it.
clawlinevk97feyyesy0s98564kw0x350rs833vw7latestvk97feyyesy0s98564kw0x350rs833vw7mobilevk97feyyesy0s98564kw0x350rs833vw7setupvk97feyyesy0s98564kw0x350rs833vw7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.