ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Acpx Bridge Troubleshooting Guide

v1.0.0

解决 acpx 桥接超时问题和 OpenClaw 飞书多账户配置。当遇到 acpx 连接 Gateway 超时、initialize 卡住、WebSocket 1005 错误、gateway.token 缺失、acpx 配置错误、飞书多机器人配置、ACP 协议解析失败、bindings 路由不生效等问题时使用。包...

0· 44·1 current·1 all-time
byRoger@roger0808
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the provided scripts and docs: the skill reads/writes OpenClaw and acpx config files, validates config, restarts Gateway, and updates acpx. These actions are expected for an acpx/OpenClaw troubleshooting guide. However, the SKILL.md contains a literal gateway token example (a long hex string). Embedding a full token value in shipped docs is suspicious (could be an accidental secret leak or an unsafe example) and should be verified before use.
Instruction Scope
The instructions and included scripts stay within the stated scope: they check ~/.openclaw and ~/.acpx, create gateway.token, repair ~/.acpx/config.json, run openclaw CLI commands, and suggest npm install -g acpx. These are relevant to troubleshooting. Notes: scripts write files under the user's home (~/.openclaw, ~/.acpx) and the diagnostic script prints the first 10 chars of the gateway token to stdout (may appear in logs). The SKILL.md's example that directly echoes a token to ~/.openclaw/gateway.token should be treated as a placeholder only — do not paste a real token unless you intend to.
Install Mechanism
There is no install spec (instruction-only), so nothing is installed automatically at skill install time. However the scripts attempt to run 'npm install -g acpx@latest' (or instruct the user to do so). That pulls code from the public npm registry — a moderate-risk action because it fetches and installs third-party binaries. Users should verify the acpx package provenance and prefer reviewing or pinning a known-safe release before installing globally.
!
Credentials
The skill requests no environment variables, which matches its purpose. However it operates on local configuration files that contain secrets (openclaw.json and gateway.token) and includes an explicit token string in SKILL.md and a command example that writes that token to ~/.openclaw/gateway.token. Shipping a real-looking token in repo files is disproportionate (it may be a leaked secret or encourage unsafe copy-paste). The add_feishu_account.sh script accepts app secrets as arguments and writes them into OpenClaw config — expected for the feature but users should ensure secrets are handled carefully.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges. The scripts modify only the skill-relevant user config paths (~/.openclaw, ~/.acpx) and do not change other skills or system-wide agent settings beyond that scope.
What to consider before installing
Before running any script from this skill, do the following: - Treat the long hex token in SKILL.md as a placeholder; do NOT paste it into your system unless you know it is a legitimate token you control. Confirm whether the token is an example or an actual secret leaked by the publisher. - Inspect the three scripts (add_feishu_account.sh, diagnose_acpx.sh, fix_acpx_bridge.sh) yourself. They operate on ~/.openclaw and ~/.acpx and may write tokens/secrets into your local config. - Back up ~/.openclaw/openclaw.json and any current gateway.token before running fix or add scripts. - Do not run 'npm install -g acpx@latest' blindly — review the acpx package on npm/GitHub, prefer a pinned release you trust, or run it in a sandbox/container if possible. - When using add_feishu_account.sh, pass secrets carefully and consider using secure input (avoid exposing secrets on process lists or logs). - If you are unsure whether the included token is real, rotate any token that might have been exposed and consult your org's secret-management policy. Overall: the skill appears coherent with its stated purpose but contains a risky example token and instructs installing third-party software; proceed only after manual review and sanitization.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bmsqvd57t760ghj5ryg19gs84cce3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

Comments