ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

渠道单位查询助手

v1.0.0

查询渠道单位信息(Python3实现)。通过名称模糊搜索获取列表,或通过ID查询详情。包括CRM账号、站点标识和环境URL。

0· 20·0 current·0 all-time
by@romicboy

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for romicboy/channel-company-query-python.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "渠道单位查询助手" (romicboy/channel-company-query-python) from ClawHub.
Skill page: https://clawhub.ai/romicboy/channel-company-query-python
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install romicboy/channel-company-query-python

ClawHub CLI

Package manager switcher

npx clawhub@latest install channel-company-query-python
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code, SKILL.md, and package.json implement a network client that queries channel/company info from a remote API (apps.ddguanhuai.com) using an Authorization token — this is coherent with the skill's description. However, the registry metadata at the top of the submission incorrectly lists "Required env vars: none" and "Primary credential: none", while package.json and both scripts clearly require LEJIAN_AUTH_TOKEN. That metadata mismatch is an incoherence that should be fixed.
Instruction Scope
Runtime instructions and the scripts are narrowly scoped to making HTTP requests to the stated API and formatting results; they do not read unrelated system files or other environment variables. Minor concerns: SKILL.md uses an absolute filesystem path (/home/gem/workspace/agent/skills/...) when showing how to run the script, which is likely a developer artifact and could confuse users or mask attempted access to unexpected locations. The documentation also tells the user to restart the gateway after setting env vars — unusual but not inherently malicious.
Install Mechanism
There is no install spec that downloads or extracts remote code; this is effectively instruction+bundled script content. No third-party installers or remote download URLs are present.
!
Credentials
The skill requires a single service token (LEJIAN_AUTH_TOKEN) to authenticate to the remote API, which is proportionate to its function. The concern is the manifest inconsistency: the top-level registry metadata claims no required env vars, while package.json's openclaw.env requires LEJIAN_AUTH_TOKEN and the SKILL.md/scripts instruct users to set it. Also the skill will send that token to apps.ddguanhuai.com — you should confirm that domain is expected and that the token has appropriate, limited privileges before providing it.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always: false). It does not attempt to modify other skills or system config beyond advising the user to set an environment variable for its own use.
What to consider before installing
This skill mostly does what it says: it queries a remote API for channel/company information and needs an auth token (LEJIAN_AUTH_TOKEN). Before installing or supplying a token: 1) fix/verify the manifest inconsistency — the registry metadata should declare LEJIAN_AUTH_TOKEN as required (package.json already does). 2) Verify the remote domain (https://apps.ddguanhuai.com/customize-php/lejian) is the official endpoint you expect and that you trust it. 3) Only provide a token with minimal scope/privileges and avoid reusing high-priv keys. 4) Note the SKILL.md shows an absolute developer path (/home/gem/...), which is likely stale; confirm the entry path is ./scripts/channel_company_query.py (package.json) and not an arbitrary absolute path. 5) If unsure, run the scripts in an isolated environment (container) and inspect logs/traffic to confirm behavior. If you want, I can list the exact lines that read the env var and perform network calls so you can audit them or help you craft a safer minimal token policy.

Like a lobster shell, security has layers — review code before you run it.

latestvk97faacj34yqnq0rjmkj3gg8g185jb36
20downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
@romicboy
latest
Download

Channel Company Query (Python3)

功能

  • 搜索:按名称模糊搜索渠道单位
  • 详情:通过ID查询渠道单位完整信息
  • 格式化:输出搜索列表和详情信息

首次配置

使用前需要配置 API Token:

openclaw config set env.vars.LEJIAN_AUTH_TOKEN <你的token>

重启 gateway 后生效。

环境变量校验

python3 /home/gem/workspace/agent/skills/channel-company-query-python/scripts/channel_company_query.py --help

LLM 调用流程

步骤1:搜索渠道单位

python /home/gem/workspace/agent/skills/channel-company-query-python/scripts/channel_company_query.py --name "示例公司"
  • 多个结果:返回列表(含序号、ID、名称),提示用户选择
  • 单个结果:自动查详情并返回

步骤2:根据用户选择的序号,用对应ID查询详情

python /home/gem/workspace/agent/skills/channel-company-query-python/scripts/channel_company_query.py --detail 1234567

技术要求

  • Python 3.x
  • 标准库 urllib
  • 有效的 Authorization token(配置在 LEJIAN_AUTH_TOKEN 环境变量中)

Comments

Loading comments...