ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Costco

v1.0.6

提供Costco产品信息、会员服务、门店查询及优惠,辅助会员批发购物和了解附加服务。

0· 84·0 current·1 all-time
by@hanxueyuan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill description promises dynamic features (门店查询, 会员服务, 优惠) that normally require APIs, data sources, or credentials, but the skill declares no env vars, binaries, or install steps and the SKILL.md provides only static encyclopedic content. This mismatch means the declared purpose is not implemented by the provided instructions.
Instruction Scope
SKILL.md is narrow and benign: it instructs the agent to present static Costco background and navigation when the user asks. It does not instruct the agent to read unrelated files, call external endpoints, or access credentials.
Install Mechanism
No install spec and no code files — instruction-only. This is low-risk because nothing will be written to disk or downloaded at install time.
Credentials
The skill requests no environment variables, credentials, or config paths. That is proportionate to the actual SKILL.md behavior (static info). If the publisher intended dynamic features, those would likely require additional credentials which are not declared.
Persistence & Privilege
always is false and there are no indications the skill requests elevated or permanent privileges. Autonomous invocation is allowed by default but not itself a red flag here.
What to consider before installing
This skill appears safe to install from a technical perspective (no downloads, no credentials requested), but it likely does not deliver the dynamic features its description promises (store lookup, membership tools, discounts). Before relying on it, ask the publisher for details or a homepage/source, or prefer official Costco channels/APIs for live store and membership data. If you need the advertised features, require the skill author to declare what APIs/data sources it uses and any credentials needed.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b7jtwnkvk3dn1404vw6vm2n84w5m6

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments