ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Find Skills

v1.0.5

智能搜索和发现 OpenClaw 技能,支持中英双语,多来源搜索

0· 927·2 current·3 all-time
bybittao@hgta23

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for hgta23/findskills.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Find Skills" (hgta23/findskills) from ClawHub.
Skill page: https://clawhub.ai/hgta23/findskills
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install findskills

ClawHub CLI

Package manager switcher

npx clawhub@latest install findskills
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description and runtime code align: the package implements a multi-source search/recommendation engine (ClawHub mirror, GitHub, local sources). However there are small mismatches in metadata: SKILL.md claims TypeScript and Fuse.js (fuzzy search) while package.json only lists axios and the package.json version (1.0.4) differs from registry metadata (1.0.5). These look like sloppy packaging rather than functional breakage, but they are inconsistencies to verify.
Instruction Scope
SKILL.md describes CLI commands (search, info, recommend, etc.) and the code implements those behaviors. The runtime instructions and code limit their actions to searching sources, formatting results, caching, and basic recommendation—there is no code that reads arbitrary local files, spawns shells, or exfiltrates system credentials.
Install Mechanism
There is no install spec in the manifest (instruction-only), but the skill includes runnable code and a package.json with a single dependency (axios). No downloads from arbitrary URLs or archive extraction are present in the codebase. The lack of declared dependencies mentioned in SKILL.md (e.g., Fuse.js) is a packaging inconsistency you should confirm before running.
Credentials
The skill declares no required environment variables or credentials and the code only optionally accepts an API key for the ClawHub client. It does not request or access unrelated secrets or config paths. That said, the client will make outbound HTTP requests, so no secrets should be provided to unknown endpoints.
Persistence & Privilege
The skill does not request always:true or any privileged persistent presence. It does not modify system or other-skill configs. Normal autonomous invocation is allowed by default (not a concern on its own).
What to consider before installing
This skill appears to implement what it claims (a skills search/recommender) but there are a few red flags to check before installing: - Verify the external endpoints: the code queries https://clawhub.ai and a mirror at https://skills.volces.com. Confirm you trust that mirror domain; if not, remove or sandbox network access. - Confirm dependencies and packaging: SKILL.md mentions Fuse.js/TypeScript but package.json only contains axios and the repo version differs from the registry metadata. Ensure required libraries are installed and consider running the package in an isolated environment first. - No secrets are required; do not supply API keys or tokens to unknown endpoints unless you can verify the endpoint's legitimacy. - If you need higher assurance, review the source-manager and source implementation files (src/sources/*) to see exactly which remote URLs are called and how responses are handled. Given these inconsistencies and the presence of a third-party mirror, proceed with caution (run in a sandbox or review network traffic) rather than outright blocking the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ef590x3d2jw1gja213w885584dvm8
927downloads
0stars
6versions
Updated 2w ago
v1.0.5
MIT-0
bittao@hgta23
latest
Download

name: findskills version: 1.0.5 description: 智能搜索和发现 OpenClaw 技能,支持中英双语,多来源搜索 homepage: https://clawhub.ai metadata: openclaw: emoji: "🔍" requires: bins: []

FindSkills 技能包

简介

FindSkills 是一个强大的 OpenClaw 技能搜索和发现工具,帮助用户快速找到所需的技能包。

功能特点

  • 智能搜索:支持关键词、标签、作者等多维度搜索
  • 中英双语:完美支持中文和英文搜索
  • 多来源搜索:可从 ClawHub、本地仓库等多个来源搜索技能
  • 实时更新:技能数据库保持最新状态
  • 详细信息:提供技能包的完整描述、使用示例和版本信息

使用场景

  1. 寻找特定技能:快速定位符合需求的技能包
  2. 技能分类浏览:按类别浏览可用技能
  3. 技能趋势分析:了解热门技能和最新发布
  4. 技能依赖查询:查看技能包之间的依赖关系

搜索语法

FindSkills 支持高级搜索语法:

  • 关键词搜索:"web scraping"
  • 标签搜索:tag:automation
  • 作者搜索:author:clawhub
  • 组合搜索:"data analysis" tag:python

安装与使用

安装后,您可以使用以下命令:

  • 搜索技能:findskills search <关键词>
  • 列出热门技能:findskills trending
  • 查看技能详情:findskills info <技能名称>

技术栈

  • Node.js
  • TypeScript
  • Axios(HTTP 请求)
  • Fuse.js(模糊搜索)

贡献

欢迎在 GitHub 上提交 Issue 和 Pull Request!

许可证

MIT License

Comments

Loading comments...