Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
File Exchange via Qiniu Kodo
v1.0.0Transfer files exclusively through Qiniu Kodo using qshell commands for downloading and uploading with timestamped filenames in specific directories.
⭐ 0· 39·0 current·0 all-time
by@kadbbz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the SKILL.md: it is explicitly a qshell-based Qiniu Kodo file transfer helper. Requesting Qiniu AK/SK and using qshell is coherent with the stated purpose. However, the registry metadata lists no required environment variables or credentials while the runtime instructions require QINIU_ACCESS_KEY and QINIU_SECRET_KEY — this is an inconsistency.
Instruction Scope
SKILL.md instructs the agent to download/run qshell, read QINIU_ACCESS_KEY and QINIU_SECRET_KEY from environment variables, create workspace directories, download/upload files with qshell, and insert absolute file paths into the agent context. These actions are within a file-transfer scope, but the instructions access environment variables that are not declared in the skill metadata and require executing a downloaded binary at runtime — both are security-relevant.
Install Mechanism
No install spec is provided, but the instructions explicitly direct downloading tar.gz binaries from a qiniu domain (kodo-toolbox-new.qiniu.com) with query parameters that the document insists must be preserved. Downloading and running/extracting remote archives at runtime is higher risk: the host is a vendor domain (likely Qiniu) rather than a widely-audited release host like GitHub releases, and the query params raise tracking/validation concerns. The skill does not provide checksums or verification steps.
Credentials
The SKILL.md requires QINIU_ACCESS_KEY and QINIU_SECRET_KEY (and uses them for qshell account login), which is proportional to a Qiniu upload/download tool. However, the registry metadata claims 'Required env vars: none' — a mismatch. The skill asks for secrets named SECRET/KEY which should be explicitly declared and justified in metadata; lacking that visibility is a red flag.
Persistence & Privilege
The skill is instruction-only, does not set always:true, and does not request system-wide changes or modify other skills. It will create workspace directories and may write files under workspace, which is expected for a file-transfer helper.
What to consider before installing
This skill looks like a legitimate Qiniu Kodo qshell-based file transfer helper, but it has two practical concerns you should address before installing:
1) Metadata mismatch: SKILL.md requires QINIU_ACCESS_KEY and QINIU_SECRET_KEY, but the registry metadata declares no required env vars. Ask the publisher to update metadata to explicitly list these environment variables and their purpose before trusting the skill.
2) Remote binary download: the skill instructs downloading and running qshell tarballs from a qiniu domain. Verify that the URLs are official (confirm on Qiniu's official docs or vendor site), request checksums/signatures, and prefer installing qshell via your vetted package manager or from an audited release. If you must provide credentials, use scoped/minimal-permission keys (bucket-limited), rotate them after testing, and avoid giving long-lived full-account keys.
If you cannot verify the qshell binaries or cannot ensure the environment variables are limited in scope, treat this skill as untrusted. Ask the publisher for updated metadata, checksums, and a safer install path (e.g., official package manager or documented vendor release).Like a lobster shell, security has layers — review code before you run it.
latestvk9795nrs9vypb51w4yb6rhmqyd84eykt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.