ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clash Node Manager

v1.0.0

Manages Clash proxy nodes by listing current node status, available nodes in groups, and switching to specified nodes by name or index.

0· 716·1 current·1 all-time
byYonghao Zhao@yonghaozhao722
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included code and SKILL.md: the Python script queries and manipulates Clash via the local API (default http://127.0.0.1:9090). The manifest lists python3 as a tool and a plausible upstream repo. No unrelated credentials, cloud services, or binaries are requested.
Instruction Scope
SKILL.md instructs the agent to run check_clash.py with a small set of flags (list, switch, switch-by-index). The script only performs HTTP requests to the local Clash API endpoints (/version, /proxies, /connections, and PUT to /proxies/<group>) and prints results. It does not read arbitrary files or transmit data to external endpoints.
Install Mechanism
There is no remote download/install step; the skill is instruction-only and includes the script in the package. The manifest's install destination is a local path and does not pull code from external, untrusted URLs. This is low-risk from an install perspective.
Credentials
The skill declares no required environment variables or credentials, which is appropriate. The script supports an optional 'secret' (Clash API bearer token) and a custom API URL, but SKILL.md does not document how to supply them; this is a minor documentation mismatch (functional, not obviously malicious).
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent elevated privileges or claim to modify other skills or system-wide configuration beyond interacting with the local Clash API (which is its stated purpose).
Assessment
This skill appears to do what it says: it calls the local Clash HTTP API to list and switch proxy nodes. Before installing, confirm you run Clash with its API enabled at the default address (127.0.0.1:9090) or know how to pass a custom API URL/secret to the script. Note that the script uses the requests Python package (the manifest only lists python3), so the runtime environment needs that dependency. Because the skill can change your proxy selection, only install it if you trust the included code and the listed author/repository. If you need stronger assurances, review the full check_clash.py source (already included) or run it locally in a controlled environment first.

Like a lobster shell, security has layers — review code before you run it.

latestvk9744f21sys2m68km9yzcm2d39817bc6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments