ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Business Opportunity Screenshot

Generate a business opportunity Skills report with ClawHub data, open it in Chromium, and capture a full-page screenshot saved to the output directory.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 16 · 0 current installs · 0 all-time installs
byxingxiuye@JakLiao
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the behavior: the script calls clawhub, builds an HTML report, and uses puppeteer-core to capture a screenshot. However the registry metadata declares no required binaries/env or credentials while SKILL.md and the script require clawhub CLI, chromium-browser, DISPLAY/WSL2, and an npm dependency. That mismatch (no declared requirements but required at runtime) is incoherent.
!
Instruction Scope
SKILL.md and scripts instruct running shell commands (clawhub search/inspect, launching Chromium with --remote-debugging-port) and write output under a hardcoded workspace path (/home/xiaoduo/.openclaw/workspace-product). The script executes shell commands with execSync (15s timeout). The hardcoded absolute path and use of remote debugging broaden scope beyond a simple screenshot tool and could fail or misbehave on other hosts.
Install Mechanism
There is no formal install spec, but package.json/package-lock include puppeteer-core. SKILL.md tells users to run npm install manually. This is an inconsistency: dependencies exist but installation is left to the user. The package-lock pulls puppeteer-core and related packages from public npm (npmmirror registry), which is expected but requires network install; no direct downloads from suspicious URLs were found.
!
Credentials
The skill requests no credentials, which is appropriate. But it implicitly requires environment-specific items: clawhub CLI, chromium-browser, DISPLAY (WSL2), and a writable workspace at a specific absolute home path. Requiring a specific user's home path is disproportionate and fragile — it can expose or overwrite files in that location if present.
Persistence & Privilege
The skill does not request always:true and does not declare system-wide persistence. It runs on demand. One operational risk: launching Chromium with --remote-debugging-port opens a local debug port (9222) which, while local, increases the attack surface while the browser is running.
What to consider before installing
This skill appears to do what it says, but there are several red flags to consider before installing: (1) It assumes the clawhub CLI and chromium-browser are installed and requires you to run npm install puppeteer-core manually — the package metadata did not declare these requirements. (2) The script uses a hardcoded workspace path (/home/xiaoduo/.openclaw/workspace-product) for reading/writing output — on your system this may point to a different user or not exist; it could overwrite files if that path exists. (3) It launches Chromium with --remote-debugging-port=9222 and connects puppeteer to it; this opens a local debug port while running and increases risk. (4) The code executes shell commands (clawhub) via execSync; review these commands and outputs if you care about confidentiality. Recommendations: inspect the scripts locally, run the skill in an isolated environment (container or VM), adjust the workspace/output paths to a safe directory, ensure you trust the clawhub CLI source, and only run npm install in a controlled environment. If you need higher assurance, ask the author for an install spec and for removal of hardcoded paths.
scripts/screenshot.js:41
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk970gt8qsrwdhc5t2vpvy4f02s83009z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Business Opportunity Skills Report & Screenshot

生成商机发现 Skills 推荐报告,并用 Chromium 打开页面进行全页滚动截屏保存。

功能特点

  1. 智能搜索: 调用 ClawHub API 搜索商机相关 Skills
  2. Fallback 机制: 当 API 限流或失败时,自动使用预设的 15 个热门商机 Skills 数据
  3. 详细报告: 生成美观的 HTML 报告,包含分类展示
  4. 自动截屏: 启动 Chromium 浏览器并自动截取全页图片

预设数据(API 失败时使用)

当 ClawHub API 超速限流时,会自动使用以下预设 Skills:

🔍 商机发现

  • opportunity-discovery
  • business-opportunity-detector
  • opportunity-assessment

📊 市场分析

  • market-environment-analysis
  • market-analysis-cn
  • market-sentiment-pulse

💼 商业战略

  • business-development
  • business
  • startup

🎯 获客引流

  • lead-generation
  • lead-researcher

🛠️ 创业工具

  • startup-toolkit
  • startup-financial-modeling
  • competitor-analysis

输入参数

  • query: 搜索关键词(可选,默认 "opportunity")
  • output_name: 输出文件名(可选,默认 "商业发现-${日期}")

输出

  • HTML 报告文件(保存在 workspace 根目录)
  • Chromium 浏览器打开页面
  • 全页截屏保存到 output 目录(文件名:${output_name}.jpg)

依赖

  • clawhub CLI
  • chromium-browser
  • puppeteer-core npm 包
  • WSL2 环境 + DISPLAY=:0

安装依赖

cd /home/xiaoduo/.openclaw/workspace-product/skills/business-opportunity-screenshot
npm install puppeteer-core

使用方法

# 基本用法
node scripts/screenshot.js

# 指定搜索关键词
node scripts/screenshot.js business

# 指定输出名称
node scripts/screenshot.js opportunity "商机报告-2026-03-16"

关键工具

1. ClawHub 搜索

clawhub search <关键词>

2. 获取 Skill 详情

clawhub inspect <skill-slug>

3. 启动 Chromium(调试模式)

export DISPLAY=":0" && chromium-browser --remote-debugging-port=9222 <url>

4. Puppeteer 连接截屏

const puppeteer = require('puppeteer-core');
const browser = await puppeteer.connect({ browserURL: 'http://localhost:9222' });
await page.screenshot({ path: 'output.jpg', fullPage: true });

触发词

  • 商机发现报告
  • 商机 skills 截图
  • 商业机会 skills 报告
  • 生成商机发现页面并截屏

Files

4 total
Select a file
Select a file to preview.

Comments

Loading comments…