ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

deepresearchwork forme

v1.0.1

自动化生成专业产研报告,包含深度数据调研、文档结构优化和Mermaid图表转换成高清图片的完整工作流。

0· 78·0 current·0 all-time
by@shinelp100
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with included files and script: the skill generates reports, formats Markdown, and converts Mermaid to PNG. However the runtime steps mention using an `online-search` skill for data collection while the declared required skills list only `deepresearchwork` and `markdown-formatter` — a minor inconsistency in declared dependencies.
Instruction Scope
SKILL.md stays within the stated purpose (research, format, convert diagrams). It instructs extraction of Mermaid blocks and conversion to PNG. It does instruct use of `online-search` (not declared). It also shows commands that install/run packages via `npx -y`, which will fetch and execute code from npm at runtime — this is expected for mermaid-cli but broadens what the agent will run.
!
Install Mechanism
There is no packaged install spec, but both the docs and the provided script use `npx -y @mermaid-js/mermaid-cli` to fetch and execute a package from the npm registry on demand. `npx -y` bypasses interactive prompts and downloads remote code to run; while appropriate for mermaid-cli, this is higher risk than a local-only tool and should be noted. The script also redirects stderr to /dev/null when running npx (hiding errors) which can obscure failures.
Credentials
The skill declares no required credentials or config paths. The conversion script optionally reads harmless environment variables (OUTPUT_DIR, WIDTH, BACKGROUND) which are proportional to its purpose. No secrets are requested.
Persistence & Privilege
Skill is instruction-only (no install spec), not always-on, and does not request persistent privileges or modify other skills. It runs commands at invocation only.
What to consider before installing
This skill appears to do what it claims, but note two things before installing/using it: (1) it calls `npx -y @mermaid-js/mermaid-cli` which will download and execute code from the npm registry at runtime — run it in a trusted or sandboxed environment and consider pinning a specific mermaid-cli version; (2) SKILL.md references an `online-search` skill that isn't listed in the declared dependencies — verify whether your agent will grant access to that skill or additional data sources. Also inspect or test the convert_charts.sh script locally (it suppresses error output) and ensure Node/npm behavior and fonts are acceptable for your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f7ag51kqy6apjg3g17pd8cd83tj3t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments