Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
rural-cloud-platform
v1.0.2自动登录数字乡村云平台,支持手机号、姓名、身份证号查询村民信息,提取数据并导出,完成后自动退出登录。
⭐ 0· 35·0 current·0 all-time
by@rookcat
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md and top-level description claim multi-mode queries (phone, name, ID) and automated login/data extraction which fit each other, but skill.json explicitly lists name_query and id_query as false and states '仅支持手机号查询' (only phone supported). The repository URL/metadata point to a GitHub repo but the published package contains no code implementing the described functionality. These inconsistencies make it unclear what the skill actually does.
Instruction Scope
Runtime instructions ask users to clone the repo, pip install -r requirements.txt, run python test.py or python main.py and set RURAL_CLOUD_URL; however the package contains only README.md, skill.json and SKILL.md — there is no requirements.txt, no test.py, no main.py and no implementation files. The SKILL.md describes browser automation and QR-code login (which would legitimately require controlling a browser and accessing the target website), but the provided instructions reference files and scripts that are missing.
Install Mechanism
This is an instruction-only skill with no install spec and no bundled code to execute; that minimizes immediate install-time risk. However the instructions recommend pip installing from a repo that is not included, so risk would depend on the actual repository if the user follows those instructions.
Credentials
No required environment variables or credentials are declared (primary credential: none). The SKILL.md suggests an optional RURAL_CLOUD_URL and a DEBUG flag. For a skill that logs into an external portal and extracts personal data, absence of declared credentials is plausible if QR-code interactive login is used — but it's surprising that no authentication mechanism or storage detail is present. Verify how the real implementation handles authentication and where extracted data is sent or stored.
Persistence & Privilege
The skill does not request always:true and is user-invocable with normal autonomous invocation settings. There is no indication it tries to persist or modify other skills/system-wide settings in the provided files.
What to consider before installing
Do NOT install or run this skill as packaged. The SKILL.md instructs running scripts (requirements.txt, test.py, main.py) that are not included and the metadata contradicts the advertised capabilities — this is a strong sign the published bundle is incomplete or a stub. Before proceeding, ask the publisher for: (1) the real repository URL and a full file listing, (2) the actual implementation files (requirements.txt, main.py/test.py and any scripts that perform login/data export), (3) a clear explanation of how authentication is performed and where exported data is stored or sent, and (4) verification that the GitHub repository is legitimate and unchanged (inspect commit history and release assets). If you must test, do so in a sandboxed environment and avoid using real personal data or real credentials until you have audited the code. If the skill will handle sensitive personal data (villager records), insist on explicit privacy, logging, and data-retention policies and prefer code you can review rather than opaque instruction-only packages.Like a lobster shell, security has layers — review code before you run it.
latestvk974pvgrkkkgp5w6qqyjkvr1mn845vmj
License
MIT-0
Free to use, modify, and redistribute. No attribution required.