ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Cn Installer

v1.0.1

OpenClaw 中文安装配置助手。一键检测环境、配置国产 AI 模型(DeepSeek/智谱/阿里通义)。适合中国用户快速上手 OpenClaw。

0· 95·0 current·0 all-time
by@yang1002378395-cmyk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Chinese installer for DeepSeek/智谱/阿里通义) align with the included files: environment checker, model setup (writes local .env and config.json), and connection tester that POSTs to the declared provider endpoints.
Instruction Scope
SKILL.md tells the agent to run the three included scripts and references only ~/.openclaw files and provider endpoints. The scripts only inspect the system environment, prompt for API keys, store them locally, and call provider APIs to test connectivity—no unrelated file reads or external endpoints beyond provider/platform URLs and the npm mirror check.
Install Mechanism
No install spec; this is instruction-plus-scripts only. Files are plain JS and package.json points to a GitHub repo. No downloads from untrusted URLs or archive extraction steps are present.
Credentials
The skill requests no environment variables from the platform, but it prompts users to enter provider API keys and stores them in plaintext at ~/.openclaw/.env and writes ~/.openclaw/config.json. This is expected for a local installer but users should be aware keys are stored locally and readable by any process with access to that path.
Persistence & Privilege
always is false and there is no attempt to modify other skills or system-wide agent settings. The skill creates/updates files only under the user's home ~/.openclaw directory, which is consistent with its role.
Assessment
This skill appears to do what it says: it checks your environment, prompts you for API keys for DeepSeek/智谱/阿里通义, saves them to ~/.openclaw/.env (plaintext), updates ~/.openclaw/config.json, and tests connections to the listed provider endpoints. Before installing: (1) confirm you trust the source (package.json repo URL) because the tool will store API keys locally; (2) ensure ~/.openclaw has appropriate filesystem permissions; (3) prefer creating limited-scope API keys and rotate them if you later distrust the tool; (4) you can inspect the three JS files yourself—there is no hidden network exfiltration in the code, only requests to the declared provider domains and an npm mirror check; (5) if you need stricter security, avoid entering high-privilege keys here or use environment-level secrets managers instead.
check-env.js:50
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

chinesevk97abtjc4xqnjz850sagshjtb18375hddeepseekvk97abtjc4xqnjz850sagshjtb18375hdinstallervk97abtjc4xqnjz850sagshjtb18375hdlatestvk97cc6spm91pm66qwpntcvwx75838f1d

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments