Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
TXT电子书清洗修复
v4.1.0清理和修复盗版 txt 电子书中的乱码、广告和排版问题。支持 AI 增强模式,可智能识别非标准广告、修复复杂乱码、识别非标准章节格式。触发词:txt清理、电子书修复、去广告、修乱码、排版修复、清理txt、修复电子书、txt乱码、txt广告。
⭐ 0· 97·1 current·1 all-time
bySunYin@sunfirehw
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description match the included scripts: the repo contains rule-based cleaners and AI modules for ad detection, mojibake fixing, and chapter parsing — these are appropriate for a txt-cleaning skill. Minor inconsistency: SKILL metadata lists no required binaries/env, yet SKILL.md and scripts assume Python 3.x and third‑party libraries (chardet, pyyaml, requests).
Instruction Scope
Runtime instructions explicitly instruct the agent to search the user's device for TXT files (search_file), upload selected files to a cloud URL (upload_file) and then use curl to download them into the working directory, and to call an LLM for AI-enhanced processing. Those steps necessarily transmit user file content outside the local environment; while needed to process arbitrary user files, the instructions do not clearly document where uploads/LLM requests are sent or what privacy protections apply.
Install Mechanism
There is no install spec (instruction-only), which lowers supply-chain risk, but the skill includes many Python scripts and a non-trivial LLM client (scripts/utils/llm_client.py). Dependencies are listed in SKILL.md but not enforced by the registry metadata. The absence of an install step means the runtime environment (Python libs, correct versions) is assumed rather than provisioned — potential runtime failures or silent use of system Python.
Credentials
The skill declares no required environment variables or credentials, yet it will perform LLM calls (via a bundled llm_client) and upload files to a cloud URL. LLM client behavior and upload target are determined by config (ai_config.yaml uses 'openclaw-subagent' by default) and by the unshown llm_client implementation; this can lead to unadvertised network endpoints and possible exfiltration of file contents or sensitive text. No explicit API key or endpoint is declared in the skill metadata.
Persistence & Privilege
always:false and no modifications of other skills or global agent settings were observed. The skill writes learned rules and logs to local files (e.g., learned_mojibake_rules.json, ai_enhancement.log) which is expected for a learning/cleanup tool but should be considered when evaluating disk storage/privacy.
What to consider before installing
This skill appears to implement the advertised TXT cleaning functionality, but it will: (1) search your device for TXT files, (2) upload selected files to get a public URL, and (3) send text to an LLM via a bundled llm_client. Before installing or running: review scripts/utils/llm_client.py to see exactly which endpoints and credentials are used; confirm where upload_file sends files (cloud provider/URL) and whether that meets your privacy/copyright constraints; if you must avoid sending content off-device, run only the rule-based 'fast' mode locally or run the Python scripts in a sandbox you control; ensure required Python and pip packages are installed from trusted sources; and be cautious about automatic learning/persistence files (learned_mojibake_rules.json, logs) which may store excerpts of processed text. If you need a safer setup, request a version that guarantees local-only processing (no uploads/subagent LLM calls) and documents dependency installation.Like a lobster shell, security has layers — review code before you run it.
latestvk970x03vf5x8mwcqj0tm7p1h5583tfbs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.