Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawhub Mirror Config And Search Skill
v1.0.0配置 ClawHub 国内镜像解决限流问题,并安装 Multi Search Engine 技能。当遇到 ClawHub 安装技能限流、访问慢、需要配置 cn.clawhub-mirror.com 镜像、安装多搜索引擎技能、或需要归档配置到知识库时使用。涵盖 CLI 参数指定镜像、环境变量配置、17 个搜索引擎使...
⭐ 0· 47·1 current·1 all-time
byRoger@roger0808
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description align with the instructions: the SKILL.md only describes configuring a ClawHub registry/mirror and installing a Multi Search Engine skill and documenting the steps. It does not request unrelated capabilities or credentials in its metadata.
Instruction Scope
The instructions go beyond simple registry configuration and installation: they tell the agent/user to create files under ~/.learnings, update LEARNINGS.md and TOOLS.md, 'sync to all agent work directories (main, echo, code, research)', and perform Git commits/pushes. Those steps modify multiple workspaces and transmit data to a remote Git server — actions that are not limited to the stated single-task install and could leak data or change other agents' state.
Install Mechanism
This is instruction-only (no install spec, no code files). That is low-risk from an installation mechanism perspective because nothing is auto-downloaded/installed by the skill itself. However, the actual installation relies on a third-party mirror URL (https://cn.clawhub-mirror.com) which the user must trust when used by the ClawHub CLI.
Credentials
The skill declares no required env vars or credentials (consistent with metadata) but the instructions mention setting CLAWHUB_REGISTRY/CLAWHUB_SITE and also expect Git pushes. The skill does not declare any required Git credentials or remote repo info; instructing pushes without declaring credential needs is an omission that may surprise users and could allow unintended remote writes if credentials are present.
Persistence & Privilege
always:false and normal model invocation are fine. The concern is the guidance to 'sync to all agent work directories' (main, echo, code, research) and to update shared index files — this implies modifying other agents' files/configs. The skill does not declare or limit that scope; such cross-workspace modifications increase attack surface and potential impact if the mirror or the installed skill behaves maliciously.
What to consider before installing
This skill is coherent with its stated goal (use a domestic mirror and install a multi-search skill), but proceed with caution: 1) Verify the mirror domain (https://cn.clawhub-mirror.com) before using it — confirm TLS cert, ownership, and reputation to avoid supply-chain risks. 2) The SKILL.md tells you to write files across multiple agent workspaces and to commit & push to Git; review what will be written and back up those workspaces first. 3) Do not run automated Git pushes unless you understand which remote will receive the data and you trust it; the skill does not declare any credential requirements. 4) If you only want to avoid rate limits, prefer using the CLI --registry flag for a single command and test with a non-privileged dry run. 5) If uncertain about the mirror, consider mirroring packages through a trusted internal repository or contacting ClawHub maintainers for an official mirror. If you want, provide the mirror's owner or certificate info and I can help assess its trustworthiness.Like a lobster shell, security has layers — review code before you run it.
latestvk971gj7tmc8fzmhg8bh1yxhxth84cnq2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis