ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

芊云VR全景运营小助手

v1.0.0

全景 VR 作品管理技能,覆盖账号登录配置(uid/token)、作品、素材、场景、热点、配乐、语音讲解、评分查询与接入指引。用户提出“配置登录信息”、“创建/修改/查看 VR 作品”、“上传素材”、“配置场景与热点”、“给作品加音乐或配音”、“查看评分”、“生成接入代码”等需求时使用。

0· 99·0 current·0 all-time
bytianming@tianming3

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for tianming3/9kvr-panorama.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "芊云VR全景运营小助手" (tianming3/9kvr-panorama) from ClawHub.
Skill page: https://clawhub.ai/tianming3/9kvr-panorama
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install 9kvr-panorama

ClawHub CLI

Package manager switcher

npx clawhub@latest install 9kvr-panorama
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (9kvr VR panorama management) match the code: tools for works, media, scenes, hotspots, music, voice, scores, and account uid/token configuration. Requiring a local 'vr-api' client to forward requests is plausible for this purpose, but the code implements an implicit installer that downloads a native client (executable) into ~/.9kvr/client which is not surfaced in the skill metadata or install spec — an unexpected side effect for an instruction-only skill.
Instruction Scope
SKILL.md and prompts instruct the agent to accept uid/token and to use the vr-api client (examples show running `vr-api -login -uid <uid> -token <token>`). The runtime code reads/writes session data at ~/.9kvr/auth/vr-session.json and may read environment variables (API_TIMEOUT, AUTH_TOKEN, AUTH_UID, VRAPI_CDN). That file and env usage are relevant to the purpose (storing authentication) but were not declared in the metadata; the prompting enforces subprocess-based login and strict formatting rules which give the agent explicit instructions to call local commands.
!
Install Mechanism
Although the skill declares no install spec, the API client will automatically download a native executable from a domain (DEFAULT_VRAPI_CDN = https://async.he29.com/public/app/mcp/cli) into ~/.9kvr/client and set it executable. The code attempts .gz extraction or raw download and writes the binary to disk. Silent download-and-execute of a native binary from a third‑party CDN is a high-risk install pattern and should be considered suspicious unless the domain and binary are verified.
!
Credentials
Metadata lists no required env vars or primary credential, yet the code reads environment variables (API_TIMEOUT, AUTH_TOKEN, AUTH_UID, VRAPI_CDN) and will accept uid/token input to perform login and persist a session. The skill will persist auth to ~/.9kvr/auth/vr-session.json. Requesting or using uid/token is reasonable for this service, but the lack of declared credentials and the potential for the native client to perform arbitrary network I/O makes the credential access more sensitive than the metadata indicates.
!
Persistence & Privilege
The skill creates and uses persistent directories under the user's home (~/.9kvr/client, ~/.9kvr/auth, ~/.9kvr/skills/cache), stores a session file, and executes a downloaded native client via subprocess. While not 'always: true', this grants the skill persistent disk presence and the ability to execute privileged native code on the host — a material privilege that should be explicitly disclosed and accepted by the user.
What to consider before installing
This skill otherwise looks consistent with its stated VR management purpose, but it silently downloads and runs a native 'vr-api' client from https://async.he29.com into ~/.9kvr and persists session files (uid/token) under ~/.9kvr/auth. Before installing or using it: - Verify the download domain and binary (async.he29.com / the vr-api client) out-of-band — confirm it's the official 9kvr provider and inspect the binary if possible. - If you cannot verify the binary, do not allow the skill to run on sensitive machines; instead run it in a sandbox/VM or use a disposable account. - Be aware the skill will store credentials in ~/.9kvr/auth/vr-session.json; use a least‑privilege account or rotate credentials after testing. - Ask the publisher to explicitly declare the env vars and the implicit install behavior in the metadata (VRAPI_CDN, AUTH_UID/AUTH_TOKEN usage, directories written). - If you need higher assurance, request source-of-truth (signed releases, checksums, or a trusted package host) for the native client rather than allowing silent downloads.
src/tools/develop.py:595
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk972rmzjesmhxm3ervxy9w9g8d83tamd
99downloads
0stars
1versions
Updated 4w ago
v1.0.0
MIT-0
tianming@tianming3
latest
Download

VR 全景作品管理技能

What(是什么)

9kvr-panorama 是一个用于全景 VR 内容生产与管理的操作技能,统一处理从素材入库到作品发布前配置的关键环节,覆盖以下能力:

  • 作品管理:创建作品、查看详情、读取场景、更新基础信息
  • 素材管理:上传素材、查询素材、更新描述、删除素材、获取下载链接
  • 场景管理:场景列表、详情、更新、删除
  • 热点管理:查询热点、添加场景跳转热点、添加文本热点、删除热点
  • 音乐管理:音乐标签、搜索音乐、智能匹配、挂载背景音乐
  • 语音管理:主播列表、语音生成、任务轮询、语音上传、挂载语音
  • 评分与诊断:读取作品评分、获取版本与全局上下文
  • 账号配置:设置/更新登录 uidtoken
  • 接入开发:小程序/网页/存量系统接入指南与代码生成

Why(为什么)

该技能的目标不是“命令大全”,而是“面向新手可复用的执行流程”。

  • 降低学习成本:按业务动作组织能力,而不是按 API 字段堆砌
  • 降低出错概率:强调“先查后改、改后复查”的顺序
  • 提升交付效率:同类任务可直接套用流程与命令模板
  • 保障可追溯性:每次关键变更都可通过 info/list 再确认

Where(去哪里看详细信息)

先判定“调用哪个脚本/命令”,再看参数和示例。按此顺序读取:

  1. 调用路由(先看):references/router.md
  2. 命令与参数总览:references/commands.md
  3. 标准操作流程(SOP):references/workflows.md
  4. 端到端场景示例:references/examples.md

调用原则(给 AI 的执行约束)

  1. 每次收到需求先做“意图分类”,必须落到一个模块:works/media/scenes/hotspot/music/voice/score/develop/info(含账号配置)
  2. 根据模块去 references/router.md 选对应脚本与命令组。
  3. 先读后写:优先 list/info/scenes/hotspot list,再执行 create/update/add/delete
  4. 写后复查:任何写入动作后,必须追加一次读取命令验证结果。
  5. 涉及删除、覆盖、批量操作时,先复述目标 ID 与影响范围再执行。

使用边界

  • 本技能聚焦“管理与配置”,不包含沉浸式前端渲染开发细节。
  • 不确定归属模块时,优先使用 references/router.md 的“最小调用模板”判定。

Comments

Loading comments...