ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

数学计算器

v1.0.0

支持数学表达式计算和单位换算,包含四则运算、科学函数及常用常量,纯本地安全计算无外部依赖。

0· 29·0 current·0 all-time
by@freedompixels

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for freedompixels/cn-math-calculator.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "数学计算器" (freedompixels/cn-math-calculator) from ClawHub.
Skill page: https://clawhub.ai/freedompixels/cn-math-calculator
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install cn-math-calculator

ClawHub CLI

Package manager switcher

npx clawhub@latest install cn-math-calculator
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description promise a local, safe math calculator with no external dependencies, which matches the included script and lack of installs/credentials. However the SKILL.md explicitly states "不使用eval" (does not use eval) while the shipped script uses Python's eval() — this is a direct contradiction between claimed purpose and actual capability.
!
Instruction Scope
SKILL.md instructs local usage and no external communication (which the code follows). But it also asserts a safe evaluation method; the runtime instructions rely on the provided script, and that script uses eval() with a restricted namespace but allows attribute access and constructs (parentheses, dots, underscores). This makes it possible for a crafted expression to traverse Python internals (e.g., using attribute chains like ().__class__.__mro__...) and potentially access classes and functionality beyond math, enabling code execution or data access. The instructions therefore understate the actual runtime risk.
Install Mechanism
No install spec, no downloads, and only a local Python script is included. There are no external packages or network installs, which is proportionate to a simple calculator tool.
Credentials
The skill requests no environment variables, credentials, or config paths — appropriate for a self-contained math utility.
Persistence & Privilege
always is false and the skill does not request any special persistence or system-wide configuration. Model invocation is allowed (default), which is normal; this combined with the eval issue increases blast radius but is not a misconfiguration by itself.
What to consider before installing
Do not assume this skill is safe because it claims 'safe evaluation' or 'no eval' — the included script uses eval() and permits syntax (dots, underscores, parentheses) that can be used to access Python internals and potentially execute arbitrary code. Before installing or enabling it in any agent that can access sensitive data or system resources: (1) ask the publisher to explain why SKILL.md claims "不使用eval" while the code uses eval; (2) request that the author replace eval with a true safe evaluator (e.g., evaluate a parsed AST with an allowlist of nodes, or use a vetted library like asteval/numexpr/sympy) and explicitly block attribute access; (3) if you must use it, run the skill in a restricted sandbox with no access to files, network, or credentials; (4) prefer not to enable autonomous invocation for this skill until the eval implementation is fixed. Example of the type of expression an attacker could try (technical): "().__class__.__mro__[1].__subclasses__()" — such patterns are used to discover system classes and can lead to escalation if eval allows attribute access.
scripts/math_calculator.py:108
Dynamic code execution detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9706qvc9xwah8axmd92knb7ah85myrw
29downloads
0stars
1versions
Updated 16h ago
v1.0.0
MIT-0
@freedompixels
latest
Download

cn-math-calculator

数学表达式计算器。支持基本运算、科学计算、单位换算。

功能

  • 四则运算 + - * / ^(幂) %(取模)
  • 科学函数:sin, cos, tan, log, sqrt, abs
  • 常量:pi, e
  • 单位换算:长度、重量、温度、面积
  • 表达式安全求值(不使用eval)
  • 纯本地处理,无需API

安装要求

  • Python 3.6+
  • 无外部依赖

使用方法

千策,计算 2^10 + 100
千策,计算 sqrt(144)
千策,换算 100公里等于多少英里

参数

  • expression: 数学表达式
  • convert: 单位换算格式 (数值 原单位 -> 目标单位)

示例

输入:

千策,计算 (100 + 50) * 2 - 30

输出:

结果: 270

分类

工具

关键词

计算器, 数学, calculator, math, 单位换算

Comments

Loading comments...