ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Kpop Tracker

vv2.1.0

Track K-Pop idol updates including comebacks, albums, concerts, solo activities, merch, and official YouTube content with 3-stage search architecture (Offici...

0· 65·0 current·0 all-time
by@ryemco
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (K-Pop update tracker with 3-stage search and Weibo monitoring) plausibly requires a browser and web access. However, the bundle only includes two small scripts for config management and no code that performs the described scraping, parsing, or price-comparison logic. Requiring a 'browser' binary is consistent with the purpose but ambiguous (what browser tool/driver is expected?).
!
Instruction Scope
SKILL.md instructs the agent to perform broad web checks (official accounts, media, Taiwan fan sources) and to monitor Weibo and store websites, produce exact output templates, and create/read workspace config files. It does not instruct the agent to read unrelated local data, but it implicitly requires automated browsing/scraping and access to many external sites. The skill grants the agent discretion to fetch content from arbitrary public sites (including commercial stores and social platforms) but provides no implementation details, rate-limiting, or handling of authentication/robots rules.
Install Mechanism
There is no install spec (instruction-only), so nothing is downloaded or written by an installer. This minimizes installation risk. The included Python scripts only create and edit local JSON config files.
Credentials
No environment variables, credentials, or config paths are requested, which is appropriate. However, the skill declares automated Weibo monitoring and store checks but does not request any credentials nor explain how it will handle sites that require auth or anti-bot measures — this is a functional gap rather than an explicit overreach.
Persistence & Privilege
always is false and there's no install that forces persistent system-wide changes. The scripts act only on a workspace directory under the user's control; no system config or other skills are modified.
What to consider before installing
This skill claims to do automated browsing/scraping (official accounts, news, Taiwan fan groups, and Chinese Weibo) but the package only includes config helpers; the code that would actually fetch and analyze web content is not present in the files provided. Before installing or enabling the skill, ask the publisher: (1) How is the automated browsing/scraping implemented at runtime (what 'browser' binary/tool is expected)? (2) Will the skill access external websites from your machine or via a remote service? (3) How are login-only pages, rate limits, and site terms handled? If you allow it to run, restrict it to a non-sensitive workspace, inspect or sandbox its network access, and be cautious about any prompts that request credentials or tokens for social platforms or stores.

Like a lobster shell, security has layers — review code before you run it.

latestvk977had3v7fv0cy5hdhn5m8k2984sqp3latest v2.1.0vk977had3v7fv0cy5hdhn5m8k2984sqp3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbrowser

Comments