ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

调用自定义摘要 API,对用户提供的文本进行处理并返回结果

v1.0.0

调用自定义摘要 API,对用户提供的文本进行处理并返回结果

0· 96·0 current·0 all-time
by@heqq-github

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for heqq-github/custom-api-summary.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "调用自定义摘要 API,对用户提供的文本进行处理并返回结果" (heqq-github/custom-api-summary) from ClawHub.
Skill page: https://clawhub.ai/heqq-github/custom-api-summary
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install custom-api-summary

ClawHub CLI

Package manager switcher

npx clawhub@latest install custom-api-summary
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md and server.js are consistent: the skill exposes /api/skill/call and forwards the provided `content` to the declared third‑party API (https://test-gig-c-api.1haozc.com/...). There is no unrelated credential/binary requested. Note: the target API is hard-coded to an external domain rather than provided via configuration.
Instruction Scope
SKILL.md explicitly describes forwarding user text to the external API and the internal endpoint to call. The implementation also logs the full user content to the server console (console.log), which is not called out in the SKILL.md and may expose content in logs — a privacy/operational concern but not an incoherence.
Install Mechanism
No install spec is provided (instruction-only), which is low risk. However code files (server.js, package.json) are included; running the skill will require installing dependencies (express) and running the Node server. There are no downloads from untrusted URLs or extract steps.
Credentials
The skill requests no environment variables or credentials, which is proportionate. However it transmits all user content to an external, hard-coded HTTPS endpoint without authentication and logs the content locally; this raises privacy/exfiltration concerns even though it doesn't require extra credentials.
Persistence & Privilege
always is false and the skill does not request elevated platform privileges or modify other skills. It does not persist configuration beyond typical server process behavior.
Assessment
This skill is internally coherent but forwards any user-provided text to an external server (https://test-gig-c-api.1haozc.com) and writes the text to console logs. Before installing, verify who operates that endpoint and their privacy/security practices. Do not send sensitive or confidential information through this skill. Prefer a version that makes the target API URL configurable via environment variables and uses authentication, explicit consent notice, and avoids logging full user content. If you need stronger guarantees, host the code yourself or request the developer provide an operator identity and a privacy policy.
server.js:52
Environment variable access combined with network send.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fayfqv86npnd4bc7v94mjzs84gr0nstablevk97fayfqv86npnd4bc7v94mjzs84gr0n
96downloads
0stars
1versions
Updated 2w ago
v1.0.0
MIT-0
@heqq-github
lateststable
Download

Custom API Summary Skill

功能

当用户明确要求对一段文本进行总结、提炼、归纳或处理时,调用本项目提供的 HTTP 接口,将用户输入作为 content 参数传入,并返回接口处理结果。

适用场景

  • 总结一段较长文本
  • 提炼文章重点
  • 对输入内容做统一的摘要处理

触发条件

当用户表达以下意图时触发:

  • “帮我总结这段内容”
  • “提炼一下这段文字”
  • “把这段话做个摘要”

不应在普通闲聊、无明确文本处理需求时自动触发。

输入

用户提供的原始文本内容。

调用方式

Skill 服务入口

  • URL: /api/skill/call
  • Method: POST
  • Headers:
{
  "Content-Type": "application/json"
}
  • Body:
{
  "content": "用户输入的内容"
}

服务内部转发目标

  • URL: https://test-gig-c-api.1haozc.com/api/wx/kjj/v1/customer/skill/call
  • Method: POST
  • Headers:
{
  "Content-Type": "application/json"
}

返回格式

{
  "success": true,
  "result": { "目标 API 返回的数据" }
}

失败时返回:

{
  "success": false,
  "message": "错误信息"
}

使用约束

  • 必须传入非空 content
  • content 应为待处理的完整文本
  • 如果后端接口不可用,应明确返回失败原因,而不是伪造处理结果

说明

本文件作为当前项目的正式 skill 说明文件使用。 如果需要命令行调试,可参考 heqq-skill.md 中的调试版脚本。

Comments

Loading comments...