ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

shixinchao

v1.0.1

测试-史新超

0· 80·0 current·0 all-time
by@roarday

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for roarday/shixinchao.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "shixinchao" (roarday/shixinchao) from ClawHub.
Skill page: https://clawhub.ai/roarday/shixinchao
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install shixinchao

ClawHub CLI

Package manager switcher

npx clawhub@latest install shixinchao
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and scripts indicate the skill is a thin client for the jointpilot async_chat API (Q&A/streaming). That purpose is reasonable for the declared functionality. However, the registry metadata lists no required environment variables while SKILL.md declares an API_KEY is required — a clear mismatch between what the skill says it needs and what the registry requests. This inconsistency suggests the package was not packaged correctly.
!
Instruction Scope
SKILL.md instructs the agent to call scripts/program.py and to read API_KEY from the environment, and it references an external endpoint (https://developer.jointpilot.com/...). Those instructions are within scope for a remote Q&A skill. The problem: the included script does not actually read the API_KEY from the environment (it sets api_key = ""), and the script calls requests.post with stream=False while parsing SSE lines — another implementation mismatch. These instruction/code inconsistencies mean the runtime behavior will not match the documented behavior and could leak or fail in unexpected ways.
Install Mechanism
No install spec is provided (instruction-only with a bundled script). This is low risk from an installation perspective because nothing arbitrary is downloaded at install time.
!
Credentials
SKILL.md requires a single sensitive env var (API_KEY) for bearer authentication to the external API — that is proportionate to the skill's purpose. However, the skill registry does not declare this required env var, and the program.py currently does not read the env var. The mismatch means user's API key may not be used as intended (or may be accidentally omitted), and the registry failing to declare the secret makes it easy to miss during review.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed (the platform default), which is normal for skills. No modifications to other skills or global agent settings are present.
What to consider before installing
This skill is suspiciously inconsistent rather than overtly malicious. Before installing or providing secrets: (1) Do not provide your real API key yet — the registry metadata does not declare API_KEY. (2) Inspect and fix the code: program.py currently sets api_key = "" instead of reading os.environ['API_KEY'] (or similar), so authentication will fail or send an empty bearer token. (3) Confirm streaming behavior: requests.post is called with stream=False while the code iterates response.iter_lines() expecting SSE; change to stream=True and handle SSE properly. (4) Remember that user questions (potentially sensitive) will be sent to the external domain developer.jointpilot.com; only use a scoped/test key and review the remote service's privacy policies. (5) If you are not the developer, ask the publisher to (a) update the registry metadata to declare API_KEY as required, (b) correct program.py to read the env var and handle streaming, and (c) document what data is sent to the external API. If these issues are not resolved, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk97450603ft01net873qv1vc5h84rt0q
80downloads
0stars
2versions
Updated 2w ago
v1.0.1
MIT-0
@roarday
latest
Download

// turbo-all

测试-史新超

任务目标

  • 本 Skill 用于:测试-史新超
  • 能力包含:智能问答、上下文理解、流式输出
  • 触发条件:用户提问时自动触发

前置准备

  • 依赖说明:scripts 脚本所需的依赖包及版本

    requests==2.31.0

  • 环境变量配置:

    • API_KEY必需,API Key,用于调用接口

操作步骤

  • 标准流程:

    1. 接收用户输入

      • 智能体接收用户提出的问题或指令
      • 示例:你好,请问有什么可以帮助你的?

    2. 调用脚本

      • 调用 scripts/program.py 处理问题
      • 必需参数:--question "用户输入文本"
      • 可选参数:根据应用配置动态生成
      • 脚本自动处理 API 调用和响应解析

    3. 返回结果

      • 脚本返回 API 的答案
      • 智能体将结果以清晰易懂的方式呈现给用户

资源索引

注意事项

  • API 调用使用流式输出,脚本会自动处理响应流
  • API Key 从环境变量 API_KEY 读取,请确保已设置
  • API 地址为 https://developer.jointpilot.com/v1/api/async_chat/completions/
  • 请确保网络连接正常,API Key 有效
  • 最后从返回值里获取答案

使用示例

示例 1:基本调用

python scripts/program.py --question "请介绍一下你的功能"

示例 2:完整调用

python scripts/program.py --question "帮我分析一下这个问题"

Comments

Loading comments...