Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The description promises asset management, card pack and income/expense analysis and even sub-hourly synchronization with personal bills and market data, but the package contains only an instruction file and requests no credentials, APIs, or binaries. A legitimate Alipay-integrated skill would typically require API credentials, OAuth flows, or at least instructions for obtaining access—those are missing.
Instruction Scope
SKILL.md lists filters, return fields, export capabilities, and claims frequent sync of personal bills, but it contains no runtime commands, endpoints, or directions for accessing user account data. The instructions implicitly assume access to sensitive personal financial data without specifying how to obtain it.
Install Mechanism
No install spec and no code files are present, so nothing will be written to disk and there is low direct supply-chain risk. However, being instruction-only is itself the reason the capability claims are implausible.
Credentials
The skill declares no required environment variables or credentials, yet the described features (transaction exports, tax details, daily syncing of personal bills) normally require user credentials or API keys. This mismatch suggests either the skill is only a guidance template (harmless) or it is incomplete/misleading about how it would get sensitive data.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request persistent presence or system-wide configuration changes. No privilege escalation indicators are present in the manifest.
What to consider before installing
This skill reads like a guidance template rather than a real integration: it promises access to private Alipay data and frequent syncing but provides no code, API endpoints, or credentials. Before installing or trusting it, ask the publisher how it will access your Alipay account (OAuth, official API, required env vars), request a homepage or source repo, and prefer skills that explicitly document authentication and endpoints. If you need real account operations (exports, transfers), use official Alipay integrations or vetted third-party tools that clearly request and explain the credentials they need.Like a lobster shell, security has layers — review code before you run it.
latestvk973adt1fapfnjy7kb8w549epd838tmk
License
MIT-0
Free to use, modify, and redistribute. No attribution required.