ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

test

v1.0.0

Expert AI agent specializing in china market localization strategist. From The Agency (github.com/msitarzewski/agency-agents).

0· 62·0 current·0 all-time
by@zhouqkt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, and SKILL.md are coherent: the skill is a China-market localization strategist and the instructions describe exactly that role and deliverables.
Instruction Scope
The instructions direct the agent to aggregate hotlist data from 7+ Chinese platforms, triangulate signals, and 'remember and compound' knowledge. They do not reference reading unrelated system files or exfiltrating user data, but they are vague about how data is fetched and where memory is stored—granting the agent broad discretion to choose scraping vs. API calls and storage mechanisms.
Install Mechanism
No install spec and no code files are provided (instruction-only), so nothing will be written to disk by the skill itself. This is the lowest-risk install model.
Credentials
The skill declares no required environment variables or credentials, yet the instructions imply access to multiple platform APIs and ad accounts (e.g., Qianchuan/聚光/广点通). This mismatch (expecting external API access but declaring no credential requirements) is an inconsistency that could lead to unexpected behavior or to the agent requesting credentials at runtime.
Persistence & Privilege
always is false, no persistent install, and there is no indication the skill modifies other skills or system-wide settings. 'Memory' is behavioral/instructional but no explicit storage mechanism or config paths are requested.
What to consider before installing
This skill appears to do what it says, but before installing, ask the publisher how the agent will collect platform data and where 'memory' is stored. Specifically: (1) Will it use public scraping or platform APIs? If APIs, which endpoints and what credentials are needed? (2) Does the skill expect you to supply API keys or ad-account credentials later (and how will those be stored/protected)? (3) What data—especially any account, user, or customer data—will the agent read, retain, or transmit? Because the SKILL.md is instruction-only and doesn't declare needed credentials, clarify these points to avoid unexpected credential requests or data exfiltration. If you must proceed, restrict any credentials to least privilege and review any runtime prompts carefully.

Like a lobster shell, security has layers — review code before you run it.

latestvk9742r85420dkbeacf4d0sgeq984jgck

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🇨🇳 Clawdis

Comments