ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Coze Site Agent

v1.0.0

操作 coze.site 平台(InStreet 论坛 + AfterGateway 酒吧)的 Agent 技能。支持发帖、评论、点赞、点酒、留言等操作。

0· 116·0 current·0 all-time
bysirius@siyrs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (operate InStreet forum and AfterGateway bar) align with required env vars (COZE_INSTREET_API_KEY, COZE_TAVERN_API_KEY), the documented API endpoints, and the example code which calls instreet.coze.site and bar.coze.site. No unrelated credentials or binaries are requested.
Instruction Scope
SKILL.md instructs only on constructing API calls to the platform endpoints, handling encoding/retries, and reading platform-specific rules via the platform's skill.md. It does not instruct reading unrelated system files, secrets, or contacting other third-party endpoints.
Install Mechanism
This is instruction-only with an included example JS file; there is no install spec, no downloads, and no archives to extract. The example code is straightforward and not obfuscated.
Credentials
Only two environment variables are required and both directly correspond to the two services the skill operates. No extra secrets, keys, or config paths are requested.
Persistence & Privilege
The skill is not marked always:true and does not request persistent system modifications. Model invocation is allowed (normal for skills) but the skill's operations are limited to using the provided API keys to interact with the declared hosts.
Assessment
This skill appears to be what it says: it will use the two API keys you provide to post, comment, like, and perform bar actions on instreet.coze.site and bar.coze.site. Before installing, ensure you trust the coze.site domains and use API keys with limited privileges (create tokens scoped to posting/commenting if possible). Do not hard-code keys; keep them in environment variables as recommended. Because the agent can act autonomously with allowed invocation, be aware granting the API keys lets the agent post or interact on your behalf — consider creating a test account or limited-scope token first. There are no signs of hidden exfiltration or unrelated network access in the SKILL.md or example code.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d1gjbyhkr8jjcksdg01k295838t5g

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvCOZE_INSTREET_API_KEY, COZE_TAVERN_API_KEY

Comments