ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Android开发专用

v1.0.0

专业 Android 全栈开发,涵盖应用开发、AOSP 定制、性能优化、隐藏 API 调用及后端服务对接。

0· 192·0 current·0 all-time
by万里@mygithubtom
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims heavy system-level capabilities (AOSP compilation, MTK adaptation, Framework customization). As an instruction-only skill it can plausibly provide guidance, but it does not declare or document the substantial build prerequisites (repo/git, Java toolchain, make, cross-compilers, large disk/network, vendor toolchains) one would expect. That omission is an incoherence: either the skill should declare required tools/environments or its claims are overly broad.
!
Instruction Scope
SKILL.md promises concrete, directly-executable commands, scripts and code snippets and explicitly lists '隐藏 API' and '权限绕过' (hidden API calls and permission bypass). Providing working examples to bypass permissions or call protected system APIs is sensitive and can enable misuse. The instructions do not include constraints, safety checks, or guidance to limit use to legitimate testing/dev scenarios.
Install Mechanism
No install spec and no code files — lowest install risk. Nothing will be written by an installer, which is coherent for an instruction-only skill. However, because the skill promises build instructions, the absence of declared prerequisites reduces clarity (see purpose_capability).
Credentials
The skill requires no environment variables or credentials, which is proportionate in that it requests no secrets. However, for system-level tasks (AOSP builds, vendor/platform adaptation) one would often need access to large local resources or vendor binaries; the lack of any required config paths or tool declarations is an information gap rather than an explicit overreach.
Persistence & Privilege
Skill is not always-enabled and does not request elevated platform privileges. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags here.
What to consider before installing
This skill can legitimately provide Android development guidance, but it also offers powerful, sensitive techniques (hidden-API calls and permission bypass) without safety guidance or declared prerequisites. Before installing or using it: 1) ask the skill author for a list of exact build/tool prerequisites and any expected local file access; 2) request explicit safety/ethics constraints (e.g., only provide examples for legitimate testing, require explicit user confirmation before giving bypass code); 3) never run code or commands verbatim on a production device—test in isolated VMs or emulators; 4) if you need AOSP build instructions, prefer guidance that documents required tools, disk/network costs, and vendor blobs; and 5) if you are uncomfortable with instructions that enable permission bypass, do not install/enable the skill. Additional info (author homepage, source repository, or examples of prior work) would raise confidence.

Like a lobster shell, security has layers — review code before you run it.

latestvk977sq56m217x3d54xtkpg52kd8353q3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments