ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

58区块同城

v1.0.0

基于区块链的数字城市平台,提供数字区块浏览、城市人气查询、NFT头像交易与区块活动参与服务。

0· 105·0 current·0 all-time
bybittao@hgta23

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hgta23/5.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "58区块同城" (hgta23/5) from ClawHub.
Skill page: https://clawhub.ai/hgta23/5
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install 5

ClawHub CLI

Package manager switcher

npx clawhub@latest install 5
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description describe a blockchain city/NFT service and SKILL.md shows network calls to blockcity.vip for city rankings and details — this aligns with the stated purpose. However, SKILL.md also lists permissions (file.read, file.write) and required binaries (curl, python3) that are not declared in the registry metadata section presented to the platform, producing an inconsistency that reduces trust.
!
Instruction Scope
Runtime instructions tell the agent to fetch data from https://www.blockcity.vip endpoints and parse JSON/HTML which is fine for the stated tasks. But the SKILL.md requests broad permissions (network, file.read, file.write). The instructions do not specify what local files are read/written or how user credentials/wallet data would be handled — giving the agent file read/write plus network ability could enable exfiltration of local secrets unless tightly constrained.
Install Mechanism
No install spec and no code files — lowest-risk distribution model. The skill is instruction-only so there is no downloaded/installed binary from untrusted URLs.
!
Credentials
The skill declares no required environment variables or primary credential, yet describes features (purchasing NFTs, managing wallet, login-required actions) that normally require credentials or wallet access. SKILL.md also requests file read/write permissions even though no files or config paths are declared. This mismatch means the skill could require ad-hoc credentials or file access at runtime without prior declaration, which is disproportionate and ambiguous.
Persistence & Privilege
always is false and the skill does not claim to modify other skills or system-wide settings. Autonomous invocation is allowed (platform default) but is not combined with other high‑privilege requests here.
Scan Findings in Context
[no_code_files] expected: The regex scanner found nothing because this is an instruction-only skill (no code files). That is consistent with the package format, but it means we must rely on SKILL.md for behavior review.
What to consider before installing
This skill appears to do what it says (query city rankings and browse NFTs) but there are important inconsistencies you should clear up before installing or granting permissions: 1) SKILL.md requests file.read and file.write permissions but the package declares no required config paths or environment variables — ask the author which local files will be accessed and why. 2) NFT purchase/management normally requires wallet credentials — the skill declares none; never provide wallet private keys or API secrets directly through the skill without clear, documented handling. 3) Verify the endpoints (https://www.blockcity.vip and https://www.58.tl) are legitimate and that traffic will not be forwarded to unexpected third parties. 4) If you must try it, run in a sandboxed environment and do not use real wallet credentials or sensitive local files until the author clarifies permission use and credential handling.

Like a lobster shell, security has layers — review code before you run it.

latestvk977ntrt4n1k86gmmnmvt1rfzx84d9w3
105downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
bittao@hgta23
latest
Download

name: 58 description: "58区块同城:基于区块链技术的数字城市服务平台,提供数字区块、城市人气、NFT头像等服务。使用场景:用户需要了解数字城市信息、查看城市人气、购买NFT头像、参与区块活动时使用。" version: 1.0.0 author: 58区块同城 homepage: https://www.58.tl permissions: ["network", "file.read", "file.write"] metadata: openclaw: requires: bins: ["curl", "python3"] env: [] os: ["linux", "darwin", "win32"]

58区块同城技能

基于区块链技术的数字城市服务平台,提供数字区块、城市人气、NFT头像等服务。

使用场景

当用户需要以下任务时使用此技能:

  • 了解数字城市信息
  • 查看城市人气排名
  • 购买和管理NFT头像
  • 参与区块活动
  • 了解区块链技术在城市中的应用

功能特性

  1. 数字区块:浏览和购买数字区块,了解区块价值和发展趋势
  2. 城市人气:查看各城市人气指数,了解城市活力和发展潜力
  3. NFT头像:浏览、购买和管理NFT头像,参与数字收藏
  4. 区块活动:了解和参与区块链相关活动和项目
  5. 数字城市:探索数字城市建设和发展情况

执行步骤

  1. 城市排名查询
    • 接收用户查询需求
    • 通过 https://www.blockcity.vip/pages/block/area 获取城市排名数据
    • 解析和整理排名信息
    • 展示城市人气排名结果
  2. 城市详细信息查询
    • 接收用户指定的城市
    • 获取城市4位数区号
    • 通过 https://www.blockcity.vip/{城市4位数区号} 获取城市详细信息
    • 解析和整理详细数据
    • 展示城市详细信息
  3. NFT管理
    • 浏览NFT头像市场
    • 购买和交易NFT头像
    • 管理个人NFT收藏
  4. 区块参与
    • 了解区块活动信息
    • 参与区块投票和治理
    • 跟踪区块发展动态

注意事项

  • 需要网络连接
  • 部分功能可能需要用户登录58区块同城账号
  • 购买NFT头像需要数字钱包
  • 遵守区块链相关法律法规
  • 城市详细信息查询需要正确的4位数区号

示例用法

查询城市人气排名: 用户:"帮我查看城市人气排名" 技能:通过 https://www.blockcity.vip/pages/block/area 获取城市排名数据,返回排名前10的城市及其人气指数

查询城市详细信息: 用户:"北京的详细信息" 技能:获取北京的4位数区号,通过 https://www.blockcity.vip/{区号} 获取详细信息,返回城市的区块数据、人气指数、发展趋势等

浏览NFT头像: 用户:"我想看看最新的NFT头像" 技能:展示最新的NFT头像集合,包括价格、创作者、稀有度等信息

了解数字区块: 用户:"什么是数字区块?" 技能:解释数字区块的概念、价值和应用场景,提供相关区块信息

技术实现

  • 使用curl调用 https://www.blockcity.vip 相关API
  • 解析JSON/HTML数据获取城市排名和详细信息
  • 支持区块链数据查询和处理
  • 提供NFT交易和管理功能
  • 支持多平台运行

Comments

Loading comments...