ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

testskill-repo5

v1.0.1

开源代码合规扫描与深度解读工具。对工蜂 Git 仓库触发 CodeCC 扫描,提供代码规范、安全漏洞、圈复杂度、重复率和 SCA 组件分析。Use when users mention '代码扫描', 'CodeCC', '代码检测', '安全漏洞', '合规检测', 'code scan', 'vulnerab...

0· 72·0 current·0 all-time
byyuangui@yinwuzhe
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
Name/description say this integrates with CodeCC and Git repos to run scans and SCA, but the skill requests no credentials, binaries, config paths, or install steps — nothing that would allow access to repositories or CodeCC APIs. This is not coherent with the stated purpose.
!
Instruction Scope
SKILL.md contains only placeholder markdown (two headings, a couple of list items). There are no runtime instructions on how to trigger scans, authenticate to CodeCC or Git, or where to send results. The instructions do not implement the described functionality.
Install Mechanism
No install spec and no code files — lowest install risk. Because nothing is downloaded or written to disk, the install surface is minimal.
!
Credentials
Given the claimed functionality, one would expect required environment variables or credentials (Git service token, CodeCC API key, SCA registry credentials). The skill asks for none, which is disproportionate and suggests missing or incomplete configuration.
Persistence & Privilege
Default flags (always:false, autonomous invocation allowed) are normal. The skill does not request persistent presence or modify other skills or system settings.
What to consider before installing
Do not install this skill expecting working CodeCC/Git scanning — the package is incomplete. Ask the publisher for: (1) full SKILL.md with concrete runtime steps showing how it authenticates to CodeCC/Git and what tokens/permissions are required; (2) a source or homepage and code files or an install spec; and (3) explicit list of required env vars and scopes. If you need a scanner now, prefer a skill that documents required credentials and shows how it calls official APIs (e.g., api.codecc or your Git provider) rather than this placeholder. If the author cannot provide those details, treat the skill as non-functional and avoid granting any credentials to it.

Like a lobster shell, security has layers — review code before you run it.

latestvk975wpqd80xaz0kfqdwpyb75fs84ew18

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments