ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

iHub日报自动填写

v1.0.2

自动填写 iHub 测试农场平台指定日期的日报,支持自定义账号密码和Markdown格式内容输入。

0· 54·0 current·0 all-time
by@shaqima2024
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, SKILL.md steps, and index.js all align: they automate logging into an iHub instance and filling a daily report. The BASE_URL points to an iHub login page and the script computes the target date/week and returns browser actions. No unrelated services, environment variables, or binaries are requested.
Instruction Scope
Instructions explicitly direct the agent to open the iHub login page, enter username/password, navigate the UI, and use the evaluate API to inject JavaScript to populate markdown fields. That scope matches the purpose, but it requires providing plaintext credentials and performing JS injection in the browser — actions with inherent sensitivity. The SKILL.md does not instruct reading any unrelated local files or env vars.
Install Mechanism
No install specification is provided (instruction-only). A single helper script (index.js) is included but there is no downloadable/external install step, no archive extraction, and no third-party package fetch at install time.
Credentials
No environment variables or external API tokens are requested. The skill requires the user's iHub username and password as parameters — reasonable for a login-based automation but sensitive. There is no justification for asking for other secrets or global credentials.
Persistence & Privilege
The skill is not marked always:true and does not request system-wide persistence or modify other skills. It simply returns a sequence of browser actions and helper functions; it does not store credentials or alter platform settings.
Assessment
This skill appears to do what it claims: automate filling an iHub daily report by logging in and injecting JavaScript via a browser automation tool. Before installing or using it: 1) Only provide your iHub credentials if you trust the skill and the environment — prefer a low-privilege or test account. 2) Confirm the BASE_URL matches your real corporate iHub (avoid giving credentials to unexpected domains). 3) Understand that the agent will perform browser actions and use evaluate() JS injection — that can read or modify anything visible in the browser session, so avoid using high-privilege accounts or sessions with sensitive data. 4) If possible, run the included index.js in a safe/test environment first and review the code (it only composes dates and returns step instructions; actual automation is performed by the agent's browser tool). 5) If you require stronger protection, consider using temporary credentials or manual confirmation before the skill submits the final report.

Like a lobster shell, security has layers — review code before you run it.

latestvk97abreaznp2a989agns9xwh0583j688

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments