ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Raccoon Data Analysis

v1.0.3

当用户需要使用小浣熊(Raccoon)进行数据分析会话管理、文件上传下载、数据可视化、数据分析交互时使用此技能。触发词包括"小浣熊数据分析"、"Raccoon数据分析"、"数据分析会话"。

1· 389·0 current·0 all-time
by商汤小浣熊@raccoon-office
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description describe a remote-data-analysis skill. The skill requires python3 and two env vars (RACCOON_API_HOST, RACCOON_API_TOKEN) which are exactly what a remote-API client needs. Included scripts implement session creation, file upload, SSE-based chat, and artifact download — all coherent with the stated purpose.
Instruction Scope
SKILL.md explicitly restricts behavior to remote API use (forbids local data analysis) and instructs the agent to run the provided scripts; the instructions require absolute file paths for uploads and ask for explicit user consent before uploading. There is no instruction to read unrelated files, scan the filesystem, or exfiltrate unrelated secrets.
Install Mechanism
There is no install spec (instruction-only runtime) and the included Python script uses standard requests. No remote downloads or archive extraction occur during install. Risk from installation mechanisms is low.
Credentials
The skill asks only for RACCOON_API_HOST and RACCOON_API_TOKEN (primary credential). These are necessary and proportionate for authenticating to the remote API. The scripts do not request other unrelated credentials or config paths.
Persistence & Privilege
always is false and the skill does not request persistent system-wide privileges. It writes downloaded artifacts to ./raccoon/dataanalysis (per its purpose) and does not modify other skills or system-wide agent settings.
Assessment
This skill is internally consistent: it will read files you explicitly point it at and upload them to the configured RACCOON_API_HOST using the RACCOON_API_TOKEN. Before using it: (1) confirm you have permission to upload the files and they contain no sensitive information, (2) verify and trust the RACCOON_API_HOST endpoint (the SKILL suggests https://xiaohuanxiong.com but the host is configurable), (3) keep your token secret and rotate it if exposed, (4) run the provided scripts from the skill directory as instructed (avoid running broad filesystem searches), and (5) review scripts/main.py yourself if you want to inspect behavior — the script performs uploads, SSE streaming, and downloads but contains no opaque/obfuscated code. If any of these checks fail or you do not trust the remote service, do not use the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3qv8kn070bw78kbc2rh9ad83m9gj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦝 Clawdis
Binspython3
EnvRACCOON_API_HOST, RACCOON_API_TOKEN
Primary envRACCOON_API_TOKEN

Comments