Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Shuttle AI Chatbot
v2.0.1直接調用本地 AI /chat_direct API,支援單次與批次查詢,產品比較,輸出 JSON 或純文字,無需瀏覽器自動化。
⭐ 0· 109·1 current·1 all-time
byhttps://github.com/account/ssh@sean810720
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description match the code: the CLI issues POSTs to a /chat_direct endpoint and supports single and batch queries. It does not request credentials or config paths. Minor inconsistencies: SKILL.md repeatedly states session ID format 'shuttle-cli-YYYYMMDD', while index.js actually generates 'shuttle-cli-{random16}_{YYYYMMDD}' (the README also mentions a random 16-code). SKILL.md changelog claims prior URL validation to restrict to localhost/private IPs, but there is no URL validation in the code — the CLI accepts any --url.
Instruction Scope
The runtime instructions and code shell out to curl via child_process.exec with a command string that interpolates user-provided inputs (options.url and queries). These inputs are not validated or safely escaped. That creates command-injection and/or broken-shell-invocation risks (e.g., malicious --url or a query line containing characters that break the single-quoted JSON payload). Although the SKILL.md states the tool is meant for local/private endpoints, the code allows arbitrary URLs, so an attacker or misconfiguration could make the tool send data to external hosts.
Install Mechanism
No external download/install script is present; the package includes index.js and a normal package.json with a single dependency (commander). There is no install spec that fetches arbitrary archives or executes remote installers. The Node dependency is from the npm registry (package-lock included).
Credentials
The skill does not request environment variables, credentials, or config paths. It requires a reachable AI service URL (default is a private IP) and Node/curl. However, because the URL is user-controllable and not validated, the tool can be used to transmit query contents to arbitrary endpoints — a proportionality/abuse risk even though no secrets are requested.
Persistence & Privilege
The skill does not request elevated or persistent privileges; 'always' is false and there is no behavior that modifies other skills or global agent settings. It is a normal user-invoked CLI skill.
What to consider before installing
This skill appears to do what it says (call a local /chat_direct API), but it constructs curl commands by interpolating user-provided URLs and queries into a shell command without validation or safe escaping. That can lead to command injection or accidental data exfiltration to arbitrary hosts. Before installing or running: (1) review or run the code in a sandbox/container; (2) avoid passing untrusted --url values and do not point it to public endpoints unless you trust them; (3) avoid feeding untrusted batch files; (4) consider patching the code to use a proper HTTP client (e.g., node's fetch or axios) or use child_process.spawn/execFile with arguments (not a single shell string), and validate/whitelist allowed hosts (localhost/private IPs) to enforce the intended local-only behavior; (5) verify the session ID/README inconsistencies if you need exact logging format. If you are not comfortable reviewing or patching the code, do not run it against sensitive environments or as privileged user.skill.json:42
Install source points to URL shortener or raw IP.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk97ae8s5wkdezqztjnrfejn9jx836sj6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.