ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

承运商指数查询

v1.0.0

基于Excel表格及指标定义,生成承运商维度的指数、行业平均数据,并支持历史趋势图展示与指标构成解析

0· 73·0 current·0 all-time
by@a-vb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Reading local Excel/CSV, computing averages, ranking, trend plots and identifying contributing sub-indicators all align with the described carrier-index purpose. Calling an external index-definition and overview pages could be legitimate if those pages provide needed metadata/weights, but the SKILL.md does not explain why these specific endpoints are required or whether they require auth.
!
Instruction Scope
Instructions explicitly require reading local files (expected) and 'calling' two external URLs (http://jingwe.jdl.com/#/indexCenter/indexDirection and http://jingwe.jdl.com/#/indexCenter/shipperOverview). The document does not state what data is sent to those endpoints, whether requests are GET/POST, or whether authentication is needed. The skill also instructs downloading anomaly details from that site filtered by user inputs — this could cause carrier names, dates, or other sensitive data to be transmitted externally. The instructions are vague about network behavior and error handling.
Install Mechanism
No install spec and no code files — instruction-only. This minimizes installation risk since nothing is written to disk by the skill itself.
Credentials
The skill does not request any environment variables or credentials, which is appropriate for a local Excel-processing tool. However, it nevertheless calls corporate-looking web endpoints; the lack of declared credentials or guidance for authenticated access is a gap. If those endpoints require org credentials, the skill should request them explicitly and justify their need.
Persistence & Privilege
always is false and there are no install hooks or modifications to other skills or system settings. The skill does not request elevated persistence or privileges.
What to consider before installing
Before installing or using this skill, consider the following: - It will read local Excel/CSV files you supply — only provide data you are comfortable letting the agent access. - The runtime instructions tell the agent to call two external web routes on jingwe.jdl.com and to download anomaly details from that site. Confirm whether that domain is trusted (e.g., an internal corporate service) and whether sending carrier names/dates to it is acceptable. - The SKILL.md does not declare any authentication or credentials for those endpoints. Ask the developer (or require) explicit instructions on what requests are made, whether authentication is required, and what data will be transmitted. - If you cannot confirm the endpoint's trustworthiness, avoid enabling outbound network access for this skill or run it in an offline/local-only mode (implement local equivalents of the index-definition and anomaly retrieval). - Request that the skill author clarify request methods, data fields sent, and add explicit handling for authenticated APIs (and only request minimal credentials if needed).

Like a lobster shell, security has layers — review code before you run it.

latestvk97btxpcv5de3n078fr7hvtz7h83f4kx

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments