ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

doc-export

将对话中解决的问题整理成方案文档,部署到 web 服务器供用户下载

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 23 · 0 current installs · 0 all-time installs
by@binyuli
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill says it will generate docs and deploy them to a web server, which is coherent with the instructions; however the SKILL.md hardcodes a specific domain (ucloud.demo.binyuli.top) and a specific webroot path (/www/wwwroot/...) without declaring or justifying access to that host or path. The metadata lists no required config/credentials despite the instructions assuming write access to system webroot and /root, which is disproportionate and unexplained.
!
Instruction Scope
Instructions explicitly tell the agent to create files under /root/.openclaw/workspace/docs/ and copy them into /www/wwwroot/ucloud.demo.binyuli.top/, then to delete only the web-exposed copy on user confirmation while retaining an archive. That means the agent will write potentially sensitive conversation content to local filesystem and to a public webroot. The SKILL.md does not require explicit user confirmation before publishing, nor does it offer configuration to change the hardcoded domain/paths.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so there is no installer download or third-party package risk. The surface risk comes from the runtime file operations described in SKILL.md rather than from an installation step.
!
Credentials
No environment variables or credentials are declared even though the skill assumes the agent has permission to write into /root and a webserver root. The hardcoded public domain implies the files may be hosted by an external/demo host rather than a user-controlled server, which could lead to inadvertent data exfiltration. Retaining archived copies in /root while only removing the public copy increases persistent exposure.
Persistence & Privilege
The skill is not set to always:true and does not request platform-level persistence, but it instructs the agent to keep an archive copy under /root/.openclaw/workspace/docs/ after deleting the web-exposed file — this creates persistent local storage of conversation content. The default ability for the agent to invoke the skill autonomously is unchanged (normal), but combined with the noted file operations it increases blast radius.
What to consider before installing
This skill will publish conversation-derived documents to a web root and keep a local archive, but it hardcodes the domain and filesystem paths and does not declare credentials or require explicit publishing confirmation. Before installing: verify who controls ucloud.demo.binyuli.top and the /www/wwwroot path (do you trust this host?), do not upload sensitive or private conversation content, and ask the author to make the target domain/path configurable (preferably an environment variable you control). Request the skill be changed so it: (1) asks for explicit, per-file user confirmation before publishing; (2) allows the user to specify the web host and path; (3) offers secure deletion of both web and archive copies or encrypts archives; and (4) documents who controls the remote server. If you do not control the indicated webserver, do not use the skill as-is — it could publish data to a third party.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk9709ssvcewc1xpe9y2nyqsqdx830sff

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

doc-export Skill

将对话中解决的问题整理成方案文档,部署到 web 服务器供用户下载。

触发条件

当用户说类似以下内容时触发:

  • "整理成文档给我下载"
  • "把解决方案整理成md我下载"
  • "导出文档"
  • "整理成方案文档"
  • "生成文档并给我下载链接"

执行流程

1. 整理文档

  • 根据对话内容整理解决方案
  • 使用 Markdown 格式
  • 包含:问题背景、解决步骤、配置示例、常见问题等
  • 保存到 /root/.openclaw/workspace/docs/ 目录
  • 文件命名:<主题>-guide.md<主题>.md

2. 部署到 Web

  • 复制文件到 nginx web 目录:/www/wwwroot/ucloud.demo.binyuli.top/
  • 用户的域名:ucloud.demo.binyuli.top(已配置 HTTPS)
  • 下载链接格式:https://ucloud.demo.binyuli.top/<文件名>

3. 告知用户

  • 提供下载链接
  • 必须提醒用户:下载完告诉我要清理文件

示例回复:

文档准备好了!

下载链接: https://ucloud.demo.binyuli.top/xxx-guide.md

下载完告诉我,我帮你清理文件。

4. 清理文件

用户确认下载完成后:

  • 删除 /www/wwwroot/ucloud.demo.binyuli.top/ 下的临时文档
  • 保留 /root/.openclaw/workspace/docs/ 下的原始文档(作为归档)

相关配置

  • Web 根目录:/www/wwwroot/ucloud.demo.binyuli.top/
  • 文档归档目录:/root/.openclaw/workspace/docs/
  • 用户域名:ucloud.demo.binyuli.top(HTTPS)

注意事项

  • 文件名使用英文,避免中文和空格
  • 使用 kebab-case 命名(如 whatsapp-setup-guide.md
  • 清理时只删 web 目录的文件,保留归档

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…