ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

youclaw

v1.0.1

有米云智能营销分析助手,深度拆解广告创意,挖掘品牌投放策略。触发:关键词 分析品牌, 品牌分析, 策略探索, 投放策略;命令 `/creative-chat`、`/youclaw`、`/youmiyun

0· 94·0 current·0 all-time
byyoucloud@sheire977
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (marketing/creative analysis) matches the declared API endpoint (aichat.youshu.youcloud.com) and the single required env var YOUCLOUD_API_KEY. No unrelated binaries, config paths, or unrelated credentials are requested.
!
Instruction Scope
The SKILL.md instructs the agent to read/write a local config.json, accept an API key provided directly by the user in chat, save that key to config.json, and persist session_id for follow-ups. It also mandates waiting silently up to 600s for API responses. Reading/writing local files and accepting keys over chat are outside purely 'read-only analysis' behavior and introduce privacy/exfiltration risks if keys are mishandled or the agent environment is shared.
Install Mechanism
No install spec and no code files (instruction-only). This is the lowest installation risk — nothing is downloaded or installed by the skill itself.
Credentials
Only YOUCLOUD_API_KEY is required, which is proportionate to calling the provider's API. However, the instructions allow overriding the env var by pasting a key into chat to be saved to disk; that practice increases risk and is not justified by a need for multiple unrelated credentials.
Persistence & Privilege
The skill persists secrets (API key) and session_id to a local config.json. always:false (not force-included) and it doesn't request system-wide settings, but persisting unencrypted credentials to disk is a security/privacy concern. The skill does not request elevated platform privileges, but it will create/modify its own local config file.
What to consider before installing
This skill legitimately needs a YOUCLOUD API key to call the provider, but its instructions encourage you to paste that key into chat so the agent can save it to config.json. Avoid sending secrets in chat if possible. Instead: set YOUCLOUD_API_KEY as an environment variable in the agent runtime or place the key in a securely-managed config (not public plaintext). If you must use a key stored on disk, restrict file permissions, avoid shared environments, and consider using a limited-scope/test API key that you can rotate. Confirm with the provider how keys are stored (encrypted at rest?) and ask for secure storage options. Be aware the skill will wait silently for up to 600 seconds for API responses, which can make the agent unresponsive during long calls.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b33cgbtfs5r49km8965bm1x84r8k2

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis
EnvYOUCLOUD_API_KEY

Comments